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ABSTRACT. We introduce an extension of Hoare logic for call-by-value higher-order functions with 
ML-like local reference generation. Local references may be generated dynamically and exported 
outside their scope, may store higher-order functions and may be used to construct complex muta- 
ble data structures. This primitive is captured logically using a predicate asserting reachability of a 
reference name from a possibly higher-order datum and quantifiers over hidden references. We ex- 
plore the logic's descriptive and reasoning power with non-trivial programming examples combining 
higher-order procedures and dynamically generated local state. Axioms for reachability and local 
invariant play a central role for reasoning about the examples. 
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1. Introduction 

Reference Generation in Higher-Order Programming. This paper proposes an extension of 
Hoare Logic [ 17] for call-by-value higher-order functions with ML-like new reference generation 
|[T]|2l, and demonstrates its use through non-trivial reasoning examples. New reference generation, 
embodied for example in ML's ref -construct, is a highly expressive programming primitive. The 
first key functionality of this construct is to introduce local state into the dynamics of programs by 
generating a fresh reference inaccessible from the outside. Consider the following program: 

Hpf 

Inc = let* = ref (0) in XQ.(x :=\x+ 1; be) (1.1) 

where "ref (M)" returns a fresh reference whose content is the value which M evaluates to; "be" 
denotes dereferencing the imperative variable x; and ";" is sequential composition. In ( |1.1[ ), a ref- 
erence with content is newly created, but never exported to the outside. When the anonymous 
function in Inc is invoked, it increments the content of the local variable x, and returns the new 
content. The procedure returns a different result at each call, whose source is hidden from external 
observers. This is different from X().(x :=bc+ 1; \x) where x is globally accessible. 

Secondly, local references may be exported outside of their original scope and be shared, con- 
tributing to the expressivity of significant imperative idioms. Let us show how stored procedures 
interact with new reference generation and sharing of references. We consider the following pro- 
gram from B9l § 61: 

incShared = a:=Inc;6:Ma;zi :=(!a)();a:= (!&)(); (Izi-Hza) (1.2) 

The initial content of the hidden x is 0. Following the standard semantics of ML (381, the assignment 
b :=\a copies the code (or a pointer to the code) from a to b while sharing the store x. Hence the 
content of x is incremented every time the functions stored in a and b, sharing the same store x, 
are called, returning 3 at the end of the program incShared. To understand the behaviour of 
incShared precisely and give it an appropriate specification, we must capture the sharing of x 
between the procedures assigned to a and b. From the viewpoint of visibility, the scope of x is 
originally restricted to the function stored in a but gets extruded to and shared by the one stored in 
b. If we replace b :=\a by b := Inc as follows, two separate instances of Inc (hence with separate 
hidden stores) are assigned to a and b, and the final result is not 3 but 2. 

Hpf 

incUnShared = a:=Inc;6:=Inc;zi:=(!a)();z 2 :=(!6)();(!zi+!ja) (1.3) 

Controlling the sharing of local references is essential for writing concise algorithms that manipulate 
functions with shared store, or mutable data structures such as trees and graphs, but complicates 
formal reasoning, even for relatively small programs |[T8l[34l[36l . 

Thirdly, through information hiding, local references can be used for efficient implementations 
of highly regular observable behaviour, for example, purely functional behaviour. The following 
program, taken from |j49l § 1], called memFact, is a simple memoised factorial. 

def 

memFact = let a = ref (0), Z? = ref(l)in 

Xx.if x =\a then \b else (a := x; b := f act(;e) ; lb) (L4) 

Here fact is the standard factorial function. To external observers, memFact behaves purely func- 
tionally. The program implements a simple case of memoisation: when memFact is called with a 
stored argument in a, it immediately returns the stored value \b without calculation. If x differs from 
a's content, the factorial fx is calculated and the new pair is stored. For complex functions, memoi- 
sation can lead to substantial speedups, but for this to be meaningful we need a memoised function 
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to behave indistinguishably from the original function except for efficiency. So we ask: why can 
we say memFact is indistinguishable from the pure factorial function? The answer to this question 
can be articulated clearly through a local invariant property |49l which can be stated informally as 
follows: 

Throughout all possible invocations of memFact, the content ofb is the factorial of 
the content of a. 

Such local invariants capture one of the basic patterns in programming with local state, and play a 
key role in preceding studies of operational reasoning about program equivalence in the presence 
of local state ll27l l48l l49l l59l . Can we distill this principle axiomatically and use it to validate 
efficiently properties of higher-order programs with local state such as memFact? 

As a further example of local invariants, this time involving mutually recursive stored functions, 
consider the following program: 



After running mutualParity, the application (lx)n returns t if n is odd and otherwise f ; (\y)n 
acts dually. But since x and y are free, a program may disturb mutualParity's functioning by 
inappropriate assignment: if a program reads from x and stores it in another variable, say z, assigns 
a diverging function to x, and feeds the content of z with 7, then the program diverges rather than 
returning t. 

With local state, we can avoid unexpected interference at x and y. 

def 

safeOdd = let x = ref(X?i.t), y = ref(A.«.t) in (mutualParity; \x) (1-6) 

def 

safeEven = let x = refiXn.t), y = ref(A.?i.t) in (mutualParity; \y) (1-7) 

(Here Xn.t can be any initialising value.) Now that x,y are inaccessible, the programs behave 
like pure functions, e.g. safe0dd(3) always returns true without any side effects. Similarly 
saf e0dd(16) always returns f . In this case, the invariant says: 

Throughout all possible invocations, saf eOdd is a procedure which checks if its ar- 
gument is odd, provided y stores a procedure which does the dual, whereas safeEven 
is a procedure which checks if its argument is even, whenever x stores a dual pro- 
cedure. 

Later we present general reasoning principles for local invariants which can verify properties of 
these two and many other non-trivial examples lT27ll3Tll32ll34ll48ll49ll . 

Contribution. This paper studies a Hoare logic for imperative higher-order functions with dynamic 
reference generation, a core part of ML-like languages. Starting from their origins in the X-calculus, 
the syntactic and semantic properties of typed higher-order functional programming languages such 
as Haskell and ML have been studied extensively, making them an ideal target for the formal vali- 
dation of properties of programs on a rigorous semantic basis. Further, given the expressive power 
of imperative higher-order functions (attested to by the encodability of objects liTOl l46l l47l and of 
low-level idioms (HI), a study of logics for these languages may have wide repercussions on logics 
of programming languages in general. 

Such languages H] |2 combine higher-order functions and imperative features including new 
reference generation. Extending Hoare logic to these languages leads to technical difficulties due to 
three fundamental features: 

• Higher-order functions, including stored ones. 



mutualParity 



def 



x \= Xn.if 7i = then f else not((!y)(«— 1)); 
y := Xn.if n = then t else not((!x)(« — 1)) 



(1.5) 
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• General forms of aliasing induced by nested reference types. 

• Dynamically generated local references and scope extrusion. 

The first is the central feature of these languages; the second arises by allowing reference types 
to occur in other types; the third feature has been discussed above. In preceding studies, we built 
Hoare logics for core parts of ML which cover the first two features ||6j |22j |24l [25]]. On the basis 
of these works, the present work introduces an extension of Hoare logic for ML-like local reference 
generation. As noted above, this construct enriches programs' behaviour radically, and has so far 
defied clean logical and axiomatic treatment. A central challenge is to identify simple but expressive 
logical primitives, proof rules (for Hoare triples) and axioms (for assertions), enabling tractable 
assertions and verification. 

The program logic proposed in the present paper introduces a predicate representing reacha- 
bility of a reference from an arbitrary datum in order to represent new reference generation. Since 
we are working with higher-order programs, a datum and a reference may as well be, or store, a 
higher-order function. We shall show that this predicate is fully axiomatisable using (in)equality 
when it only involves first-order data types (the result is closely related with known axiomatisations 
of reachability R31 ). However we shall also show that the predicate becomes undecidable when 
higher-order types are involved, indicating an inherent intractability. 

A good news is, however, that this predicate enables us, when combined with a pair of mutually 
dual hiding quantifiers (i.e. quantifiers ranging over variables denoting hidden references), to obtain 
a simple compositional proof rule for new reference generation, preserving all the compositional 
proof rules for the remaining constructs from our foregoing program logics. 

At the level of assertions, we can find a set of useful axioms for (un)reachability and the hid- 
ing quantifiers, which are effectively combined with logical primitives and associated axioms for 
higher-order functions and aliasing studied in our preceding works J6l|25l. These axioms for reach- 
ability and hiding quantifiers are closely related with reasoning principles studied in existing seman- 
tic studies on local state, such as the principle of local invariants ll49l . The local invariant axioms 
capture common patterns in reasoning about local state, and enable us to verify the examples in 
ll27l I3T1 l32l l34l l48l l49l axiomatically, including programs discussed above. The program logic also 
satisfies strong completeness properties including the standard relative completeness as discussed 
later. As a whole, our program logic offers an expressive reasoning framework where (relatively) 
simple programs such as pure functions can be reasoned about using simpler primitives while pro- 
grams with more complex behaviour such as those with non-trivial use of local state are reasoned 
about using incrementally more involved logical constructs and axioms. 

Outline. This paper is a full version of [63], with complete definitions and detailed explanations 
and proofs. The present version not only gives more detailed analysis for the properties of the 
models, axioms and proof rules, but also more examples with full derivations and comprehensive 
comparisons with related work. 

Section [2] presents the programming language and the assertion language. Section |3]gives the 
semantics of the logic. Section|4]proposes the proof rules and proves soundness. Section[5]explores 
axioms of the assertion language. Sections [6] discusses the use of the logic through non-trivial 
reasoning examples centring on local invariants. Section [7] summarises extensions including the 
three completeness results of the logic, gives the comparisons with related works, and concludes 
with further topics. Appendix lists auxiliary definitions and detailed proofs. Larger examples of 
reasoning about mutable data structures can be found in ll62l . 
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2. Assertions for Local State 



2.1. A Programming Language. Our target programming language is call-by- value PCF with 
unit, sums, products and recursive types, augmented with imperative constructs. Let a,b,...,x,y, . . . 
range over an infinite set of variables, and X, Y, . . . over an infinite set of type variables Jj Then types, 
values and programs are given by: 

a,P ::= Unit | Bool | Nat | oc=^[3 | a x p | oc + [3 | Ref(a) | x | /ux.a 
V,W ::= c | x a \ hc a .M \ nf^Xy a .M \ (V,W) | inj" +P (V) 
M,N ::= V \ MN \M:=N\ ref (M) | \M | op(M) | 7i ; (M) | (M,N) | inj™ +P (M) 
if M then Mi else M 2 | case M of {in^xf^.M,-},-^!^} 

We use standard notation Ifl4ll46ll like constants c (unit (); booleans t, f ; numbers n; and location 
labels also called simply locations 1,1',...) and first-order operations op (+, — , x, =, -i, A, . . .). 
Locations only appear at runtime when references are generated. M etc. denotes a vector and £ the 
empty vector. A program is closed if it has no free variables. Note that a closed program might 
contain free locations. We use abbreviations such as: 

XQM = Ax Unit .M (*£fv(M)) 

M;N = (kQ.N)M 

letx=MinN = (Xx.N)M (jc0fv(M)) 

We use the standard notion of types for imperative X-calculi |[l4l l46l and use the equi-isomorphic 
approach [46] for recursive types. Nat, Bool and Unit are called base types. We leave the illustration 
of each language construct to standard textbooks [46], except for reference generation ref (M), the 
focus of the present study, ref (M) behaves as follows: first M of type a is evaluated and becomes 
a value V; then afresh reference of type Ref (a) with initial content V is generated. 

The behaviour of the programs is formalised by the reduction rules. Let a denote a store, a 
finite map from locations to closed values. We use a tfcl [/ 1— >• V] to denote the result of disjointly 
adding a pair (I, V) to a. A configuration is of the form (v/) (M, a) where M is a program, a a store, 
and / a vector of distinct locations (the order is irrelevant) occurring in a, and hidden by v. The 



need of v-biniding is discussed in § 2.3 and Remark 3.4 

A reduction relation, or often reduction for short, is a binary relation between configurations, 
written 

(v/)(M,ai) — ► (vf)(iV,c 2 ) 
The relation is generated by the following rules. First we have the standard rules for call-by-value 
PCF: 

(Xx.M)V -» M[V/x] 

ni((Vi,V 2 » Vi 
if t then Mi elseM 2 — ► M\ 

Wlg.N)W - N[W/g]W.lg.N/f] 

case im(W) of {in/(x ( ) .Mi} fe{ i )2 } -^M^W/xi] 

'For simplicity, we omit the polymorphism from the language, see [24]. 
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Then we have the reduction rules for imperative constructs, i.e. assignment, dereference and new- 
name generation. 

(!/, a) - (o(0, o) 
(1:=V, a) -> ((), a[/~V]) 
(ref(V), a) -» (v/)(/,(5W[lwy]) 
In the reduction rule for references, the resulting configuration uses a V '-binder, which lets us directly 
capture the observational meaning of programs. Finally we close — > under evaluation contexts and 
V -binders. 

(vZ/ 1 )(£[M],a)^(v// 2 )(£[M , ],a / ) 
where / are disjoint from both l\ and Z 2 , £[•] is the left-to-right call-by-value evaluation context 
(with eager evaluation), inductively given by: 

£[•] ::= (£[-]M) | (V£[.]) | <V,£[-]> I <£[•],«> I *(£[■]) I in^H) 

| op(V,£[-],M) I if £[•] then M else N | case £[•] of {in,-(^).M,} ;e{1 2 } 
| !£[•] | £[•]:= M | V :=£[•] | ref(£[-]) 

We write (M,a) for (ve)(M,c) with £ denoting the empty vector. We define: 

• (vZ~)(M,a) ^ (vf )(V,oO means (vZ")(M,a) -►* (vf)(y,a / ) 

• (v/)(M,a) 4 means (vZ)(M,c) J| (v? )(V,a') for some (vZ')(V,a') 

An environment T, A, ... is a finite map from variables to types and from locations to reference types. 
The typing rules are standard ll46ll and are left to Appendix [A] Sequents have the form r h M : a, 
to be read: M has type a under T. A store a is typed under A, written Aha, when, for each / in 
its domain, a(Z) is a closed value which is typed a under A, where we assume A(Z) = Ref(oc). A 
configuration (M,o) is well-typed if for some T and a we have r h M : a and T h a. Standard type 
safety holds for well-typed configurations. Henceforth we only consider well-typed programs and 
configurations. 

We define the observational congruence between configurations. Assume T, l\^ '■ CCi^ h Mip : a 
and r,fi 2 : 0Ci,2 h 01,2 . Write 

rh(v/ 1 )(M 1 ,a 1 )^(v/~ 2 )(M 2 ,a 2 ) 

if, for each typed context C[ • ] which produces a closed program which is typed as Unit under A 
and in which no labels from Z12 occur, the following holds: 

(vfi)(C[Mi], 01)^ iff (v/~ 2 )(C[M 2 ], a 2 )4 

which we often write (v/i)(Mi,ai) = (v/ 2 )(M 2 ,a 2 ) leaving type information implicit. We also 
write r h Mi = M 2 , or simply M\ = M 2 leaving type information implicit, if, = a,- = (i = 1 , 2). 

2.2. A Logical Language. The logical language we shall use is that of standard first-order logic 
with equality [33, § 2.8], extended with the constructs for (1) higher-order application Il24ll25ll (for 
imperative higher-order functions); (2) quantification over store content [6] (for aliasing); (3) reach- 
ability and quantifications over hidden names (for local state). For (1) we decompose the original 
construct Ii24ll25l into more elementary constructs, which becomes important for precisely captur- 
ing the semantics of higher-order programs with local state and for obtaining strong completeness 
properties of the logic, as we shall discuss in later sections. 
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The grammar follows, letting * £ {A, V,d}, Q G {3,V,v,v} and Q' 6 {3,V}. 

e ::= jc | c | op(e) | {e,e') \ \n]f l+a2 {e) \ \e 

C ::= e = e' \ \ C*C \ Qx a .C \ Q'x.C \ [\e]C \ (\e)C 

| e»e' = x{C] | DC \ OC \ e^e'\e#e' 

The first grammar (e,e' , . . .) defines terms; the second formulae (A,B,C,C ,E, . . .). Terms include 
variables, constants c (unit (), numbers n, booleans t, f and locations 1,1',...), pairing, injection 
and standard first-order operations, le denotes the dereference of a reference e. Formulae include 
standard logical connectives and first-order quantifiers ll33l . 

The remaining constructs in the logical language are for capturing the behaviour of imperative 
higher-order functions with local state. First, the universal and existential quantifiers, Vx.C and 
3x.C, are standard. We include, following (UEH, quantification over type variables (X, Y, . . .). We 
also use the two quantifiers for aliasing introduced in Q. [lx]C is universal content quantification of 
x in C, while (\x)C is existential content quantification of x in C. In both, x should have a reference 
type. [lx]C says C holds regardless of the value stored in a memory cell named x; and (lx)C says 
C holds for some value that may be stored in the memory cell named x. In both, what is being 
quantified is the content of a store, not the name of that store. In [lx]C and (lx)C, C is the scope of 
the quantification. The free variable x is not a binder: we have fv((!x)C) = fv([!x]C) = {x} Ufv(C) 
where fv(C) denotes the set of free variables in C. We define (le)C as a shorthand for 3x.(x = 
e A (!x)C), assuming x ^ fv(C). Likewise, [\e]C is short for Vx.(x = e D [lx]C) with x being fresh. 
The scope of a content quantifier is as small as possible, e.g. [lx]C D C stands for ([!x]C) D C 

Decomposing the original evaluation formulae ll24l |25| into e • e' = x{C} and □ C, is used for 
describing the behaviour of functions Q e »e' = x{C}, which we call (one-sided) evaluation formula, 
intuitively says: 

The application of a function e to an argument e 1 starting from the present state will 
terminate with a resulting value (name it x) and a final state, together satisfying C. 
whereas DC, which we read always C, intuitively means: 

C holds in any possible state reachable from the current one. 
Its dual is written OC (defined as -iC), which we read someday C. We call □ (resp. ) necessity 
(resp. possibility) operators. As a typical usage of these primitives, consider: 

□ (CD /•* = ?{£?}) (2.1) 
This can be read: "for now or any future state, once C holds, then the application of / to x terminates, 



with both a return value y and a final state satisfying C . Note that (2.1 1 corresponds to the original 



evaluation formula in Il24ll25l . Further, in the presence of local state, ( |2.1j) can describe situations 



which cannot be represented using the original evaluation formula (see § 2.3 for examples). The 
decomposition ( |2.1| ) can also generalise the local invariant axiom in Proposition 5.15 from ll63l . 
Thus this decomposed form is strictly more expressive. It also allows a more streamlined theory. 

There are two new logical primitives for representing local state — in other words, for describ- 
ing the effects of generating and using a fresh reference. First, the hiding-quantifiers, vx.C (for some 
hidden reference x, C holds) and vx.C (for each hidden reference x, C holds), quantify over refer- 
ence variables, i.e. the type of x above should be of the form Ref (P). These quantifiers range over 
hidden references, such as x generated by Inc in ( |1.1[ ) in § [T] The need for having these quantifiers 

^We later show DC is expressible by e«e' =x{C}: nevertheless treating DC independently is convenient for our 
technical development. 
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in addition to the standard ones is illustrated in §|2.3|and Remark[3~4| The formal difference of v as 



a quantifier from 3 will be clarified in § 5.3 Proposition 5.8 

The second new primitive for local state is e\ e 2 (with e 2 of a reference type), which we call 
reachability predicate. This predicate says: 

We can reach the reference denoted by e 2 from a datum denoted by e\. 
As an example, if x denotes a starting point of a linked list, x <— > y says a reference y occurs in one 
of the cells reachable from x. We set its dual Ifl2ll55l . written e#e', to mean ->e' e. This negative 
form says: 

One can never reach a reference e starting from a datum denoted by e'. 
# is frequently used for representing freshness of new references. 

Note that expressions of our logical language do not include arbitrary programs. If we enlarge 
terms in the present logical language to encompass arbitrary programs, then terms in the logic will 
have effects when being evaluated (such as Xy.x := 3). In addition, the axiomatisation of equality 
would feature involved axioms like () = (x := 3). Note also that the inclusion of application leads to 
expressions whose evaluation may be non-terminating. Excluding such arbitrary terms means that 
we can use standard first-order logic with equality and its usual axiomatisation as its basis, avoiding 
non-termination and side-effects when calculating assertions. 

Terms are typed inductively starting from types for variables and constants and signatures for 
operators. The typing rules for terms follow the standard ones for programs Il46l and are given in 
Figure [3] in Appendix |Aj We write V h e : a when e has type a such that free variables in e have 
types following T; and T h C when all terms in C are well-typed under T. 

Equations between terms of different types will always evaluate to Fj^The falsity F is definable 

def 

as 1 ^ 1, and its dual T = -iF. The syntactic substitution C[e/lx] is also used frequently: the defini- 
tion is standard, save for some subtlety regarding substitution into the post-condition of evaluation 
formulae, details can be found in Appendix B in Henceforth we only treat well-typed terms and 
formulae. 

Further notational conventions follow. 

Notation 2.1 (Assertions). 

(1) In the subsequent technical development, logical connectives are used with their standard prece- 
dence/association, with content quantification given the same precedence as standard quantifi- 
cation (i.e. they associate stronger than binary connectives). For example, 

-.A AB D Vx.C V (\e)D D E 

is a shorthand for ( (-A) A B) D ( ( (Vx.C) V {{\e)D) ) D E). The standard binding convention 
is always assumed. 

(2) C\ = C 2 stands for (C\ D C%) A (C 2 D C\), stating the logical equivalence of C\ and C 2 . 

(3) e^e 1 stands for ->e = e'. 

(4) Logical connectives are used not only syntactically but also semantically, i.e. when discussing 
meta-logical and other notions of validity. 

(5) We write {C} e\ • e 2 = z {C} for CDe l »e 2 = z{C'}. 

(6) e\ • ei = e'{C} stands for e\ • e% = x{x = e' AC} where x is fresh and e' is not a variable; 
e\ • e%\C\ stands for e\»ei = (){C}; and e\ • e 2 ^ stands for the convergence • ^2 = -x{T}. 
We apply the same abbreviations to {C} e\ • ei = z {C}. 



To be precise, "terms of unmatchable types": this is because of the presence of type variables. For example, the 
equation "x^ = l Nat " can hold depending on models but "x Ref W = i Nat " never holds. 
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(7) For convenience of rule presentation we will use projections Jt,-(e) as a derived term. They are 
redundant in that any formula containing projections can be translated into one without: for 
example Jli(e) = e' can be expressed as 3y.e = (e' ,y). 

(8) We denote fv(C) (resp. f 1(C)) for the set of the free variables (resp. free locations) in C. 

(9) [!xi..x„]Cfor [bti]..[bt„]C. Similarly for (Ui.jc„)C. 

(10) We write e#e for A,e;#e; e#e for A ; e#e,-; and e#e' for A ; ye,-#ey. 

2.3. Assertions for Local State. We explain assertions with examples. 

(1) The assertion x = 6 says that x of type Nat is equal to 6. 

(2) Assuming x has type Ref(Nat), \x = 2 means x stores 2. Next assume that e\ and e2 have a 
reference type carrying a functional type, say Ref(Nat — > Nat). Then we can specify equality 
of the contents of the reference as: \e\ =!^2- Note that neither e\ nor e2 contains ^-expressions. 
Section [5T| shall show that the standard axioms for the equality hold in our logic. 

(3) Consider a simple command x := y; y := z; w := 1. After its run, we can reach reference name 
z by dereferencing y, and y by dereferencing x. Hence z is reachable from y, y from x, hence z 
from x. So the final state satisfies x^yf\y^zf\x^z which implies by transitivity. 

(4) Next, assuming w is newly generated, we may wish to say w is unreachable from x, to ensure 
freshness of w. For this we assert w#x, which, as noted, stands for -i(x <— > w). x#j always 
implies x^y. Note that x^x = x^!x = T and x#x = F. But !x «— ► x may or may not hold 
(since there may be a cycle between x's content and x in the presence of recursive types). 

(5) We consider reachability in procedures. Assume A-().(x := 1) is named as f w , similarly X().\x 
as f r . Since f w can write to x, we have f w x. Similarly f r > x. Next suppose let x = 
ref (z) in X,().x has name / c and z's type is Ref(Nat). Then f c ^z (e.g. consider !(/ c ()) := 1)- 
However x is nof reachable from X().((Xj.())(?i().x)) since semantically, this function never 
touches x. 

(6) □ !x = 1 says that x's content is unchanged from 1 forever, which is logically equivalent to F 
(since x might be updated in the future). Instead ^ !x = 1 = T. On the other hand, dx = 1 = 
Ox=l=x=l (since a value of a functional variable is not affected by the state). 

(7) The following program: 

/ = f A.().(x:=!x + l;!x) (2.2) 
satisfies the following assertion, when named u: 

□ V/ Nat . {!x = i}u • () =z{!x = Z A!x = i + l} 

saying: 

now or for any future state, invoking the function named u increments the content ofx 

and returns that content. 
Stating it for a future state is important since a closure is potentially invoked many times in 
different states. 

(8) We often wish to say that the write effects of an application are restricted to specific locations. 
The following located assertion [6] is used for this purpose: e • e' = x{C}@e where each e, 
is of reference type and does not contain a dereference, e is called effect set, which might be 
modified by the evaluation. As an example: 

inc(w,x) = □ V/.{!x = i}u • () =z{z =!x A !x = i + l}@x (2.3) 

is satisfied by / in ( |2.2[ ), saying that a function named u, when invoked, will: (1) increment 
the content of x and (2) return the original content of x, without modifying (in an observational 
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fashion) any state except x. As in located assertions can be translated into non-located 



evaluation formulae together with content quantification in § 2.2 see Proposition 5.5 



(9) Assuming / denotes the result of evaluating Inc in the introduction, we can assert, using the 
existential hiding quantifier and naming by u: 

Vx.(\x = A \nc(u,x)) (2.4) 

which says: there is a hidden reference x storing such that, whenever u is invoked, it writes at 
x and returns the increment of the value stored in x at the time of invocation. 

(10) We illustrate that combining hiding quantifiers and the non-reachability predicate is necessary 
for describing the effects and use of newly generated references. Consider: 

let x = ref (2) in y := x (2.5) 

The location denoted by the bound variable x is, at the time when the new reference is generated, 
hidden and disjoint from any existing datum. The location represented by x is still hidden but it 
has now become accessible from a variable y, and this location is still unreachable from other 
references. Thus hiding and disjointness are separate concerns, and, assuming z to be a reference 
disjoint from y, the post-state of (2.5 1 can be described as: 

Vx.(\y=x A !x = 2 A z#x) (2.6) 

(11) The function f\ = f A.« Nat .ref (n), named u, meets the following specification. Let i and X be 
fresh. 

fresh = □V« Nat .Vx.V/ x .w.« = z{vx.(!z = « A z#/Az = x)}@0. (2.7) 

The above assertion says that u, when applied to n, will always return a hidden fresh reference 
z whose content is n and which is unreachable from any datum existing at the time of the 
invocation; and in the execution it will leave no writing effects to the existing state. Since i 
ranges over arbitrary data, unreachability of x from each such i in the post-condition indicates 
that x is freshly generated and is not stored in any existing reference. 

(12) Now let us consider the following three formulae: 

fresh! = V« Nat .Vx.V/ x . M .« = z{vx.(!z = « A z#iAz = x)}@® (2.8) 
fresh 2 = f Vn Nat .Vx.V/ x .Q M .« = z{vx.(!z = « A z#/Az = x)}@0 (2.9) 
fresh 3 = □V« Nat .Vx.V/ x .Q M .« = z{vx.(!z = « A z#/Az = x)}@0 (2.10) 

Each formula is read as follows: 

• fresh i means that the procedure named by u, when invoked in the present state with number 
n, will create a cell with that content which is fresh in the current state. 

• fresh 2 means that the procedure u, when invoked with number n in the present or any future 
state, will create a cell with content n which is fresh in the current state. For example the 
following program satisfies this assertion (naming it as u): 

/ a = f letjc = ref(0) in Xy Nat .(x := y; x) (2.11) 

The function returned by ( |2.1 \\ does return a fresh reference upon initial invocation: but from 
the next time this function returns the same reference cell albeit with the new value specified. 
So it will be fresh with respect to the current state (for which we are asserting this formula) 
but not necessarily with respect to each initial state of invocation. 

• fresh3 means that if we invoke the procedure u in the current state or in any further future 
state, it will create a cell which is fresh in that state. 
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Then we have: 

fresh = fresr^ D fresli2 D freshi (2.12) 

which we shall prove by the axioms for □ later. The program ( |2.11| ) satisfies freshi and fresh^, 
but does not satisfy fresh (nor fresf^) since f% returns the same location. On the other hand, f\ 
satisfies all of fresh, freshi, fresf^ and fresf^. This example demonstrates that a combination 
of □ and a decomposed evaluation formula gives precise specifications in the presence of the 
local statef] 



3. Models and Semantics 



3.1. Models. We introduce the semantics of the logic based on the operational semantics of pro- 
grams, using partially hidden stores. Our purpose is to have a precise and clear correspondence 
between programs' operational behaviour (and the induced observational semantics) and the se- 
mantics of assertions. This is the reason for defining our models operationally. This approach offers 
a simple framework to reason about the semantic effects of hidden (and/or newly generated) stores 



on higher-order imperative programs (for further discussions, see Remark 3.3 later). For capturing 
local state, our models incorporate hidden locations using v-binders, suggested by the 7i-calculus 
||37l . For example, consider the program Inc from the introduction. 

Inc = let jt = ref(0) in XQ.(x :=!*+ 1; be) (3.1) 

Recall that after running Inc, we reach a state where a hidden name stores 0, to be used by the 
resulting procedure when invoked. Hence, Inc named u, is modelled as: 

(v/)({«:M).(Z:=!/ + l;!Z)}, {/^0}) (3.2) 

which says that the appropriate behaviour is at u, in addition to a hidden reference / storing 0. 

Definition 3.1. (models) An open model of type T is a tuple (£, a) where: 

• Jj, called environment, is a finite map from variables in dom(r) to closed values such that, for 
each x G dom(r), ^(x) is typed as F(x) under T, i.e. T h : T(x). 

• a, called store, is a finite map from labels in {/ | / G dom(r) } to closed values such that for each 
/ G dom(o), r(l) has type Ref(a), then a(l) has type a under T, i.e. T h a (I) : a. 

When r includes free type variables, £, maps them to closed types, with the obvious corresponding 
typing constraints. A model of type T is a structure (v/)(^,c) with being an open model of 
type r, A with {/} = dom(A). (v/) acts as binders. M,M', . . . range over models. 

An open model maps variables and locations to closed values: a model then specifies part of the 
locations as "hidden". For example, (vZ)(x : / -y : [/ i— ► 3] • [/' i— ► 3]) is a model with a typing 
environment: r = {x : Ref(Nat),^ : Ref(Nat),/' : Ref(Nat)}. We often omit T and a mapping from 
type variables to closed types from M. 

Since assertions in the present logic are intended to capture observable program behaviour, the 
semantics of the logic uses models quotiented by an observationally sound equivalence, which we 
choose to be the standard contextual congruence itself. 

Note that in fresh and fresh^, it is essential that we put universal quantifications VX and V; after □. This has 
not been possible in the two-sided evaluation formulae used in the logics for pure and imperative higher-order functions 



without local state in |6. 22, 24, 25]. See 1 2.1 >. 
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def — ~ 

Definition 3.2. Assume M, = (v/,-)(jc : Vj,Oi) typable under T. Then we write Mi « M 2 if the 
following clause holds for each typed context C[ • ] which is typable under T and in which no labels 
from Ti 2 occur: 

(v/i)(C[(^i)],Oi)^ iff (vf 2 )(C[<V 2 >],a 2 H (3-3) 
where (V) is the «-fold pairings of a vector of values. 

Definition |3.2| in effect takes models up to the standard contextual congruence. We could have 
used a different program equivalence (for example call-by-value fir) convertibility), as far as it is 
observationally sound. Note that we have 

(v/)(5-x:Vi,a-/i-»Wi) « (yl)^-x:V 2 ,o-l ^W 2 ) (3.4) 



whenever V\ = V 2 and W\ = W 2 , where = is the contextual congruence on programs defined in § 2. 1 



To see the reason why we take the models up to observational congruence, let us consider the 
following program: 

Apt 

Inc2 = letx = ref(0), y = ref(0) inA,().(x:=!x+ l;y :=!y+ 1; (!x+!y)/2) (3.5) 
which is contextually equivalent to Inc. Then we have the following model for Inc2. 

(vll')({u:'KQ.(x:=lx+l;y:=\y+l;(\x+ly)/2),x:l, y.l'}, {1^0, l' ^0}) (3.6) 

Since the two programs originate in the same abstract behaviour, we wish to identify the model in 
(3.2 1 and the above model, taking them up to the equivalence. 

Remark 3.3. (presentation of models) The model as given above can be presented algebraically us- 



ing the language of categories H591 . One method, which can treat hiding as above categorically, uses 
a class of toposes which treat renaming through symmetries ll20l . We can also use the "swapping"- 
based treatment of binding based on |[T3l . Note however that the use of such different presentations 
(with respective merits) does not alter the equational and other properties of models and the satisfac- 
tion relation, as far as we wish to use the standard observational semantics (Morris-like contextual 
congruence) or the equivalent models (so-called fully abstract models) as a basis of our logic. An- 
other significant point is that the game-based model in is the only known model satisfying this 
(full abstraction) criteria, whose morphisms are isomorphic to a class of typed 7i-calculus processes 
ETI . The presented "operational" model is hinted at by, and is close to, the 7i-calculus presentation 
of semantics of the target language. The present approach allows us to have models which are au- 
tomatically faithful to the standard observational semantics of the language, directly capturing the 
effects of hidden stores by semantics of the logic. Other models may as well be used for exploring 
various aspects of the presented logic. 

Remark 3.4. (hidden locations) Following standard textbooks lfl4l|46l , we treat locations as values 
(which is natural from the viewpoint of reduction). A significant point is that distinctions among 
these values (locations) matter even if they are hidden. For example if we have: 

M = (ref (2),ref(2)> (3.7) 

and evaluate M, we get a pair of two fresh locations both storing 2. For the denotation of this 
resulting value, it is essential that these two references are distinct. For example the program: 

Hpf 

N = let x = ref (2) in (x,x) (3.8) 

def 

has a different observable behaviour, as justified by a context C[] = if 7li[ ] = 7t 2 [ ] then 1 else 2. 
Thus distinctions matter, even if locations are hidden. 
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3.2. Semantics of Equality. For the rest of this section, we give semantics to assertions, mainly 
focussing on key features concerning local state and which therefore differ from the previous logics 
[6]. We start with the semantics of equality. 

A key example are the programs incShared in (|1.2[) and incUnShared in (1.3 1 from the 



introduction. After the second assignment of (1.2) and ( |1.3[ ), we consider whether we can assert 
"la = lb" (i.e. the content of a and b are equal). For this inquiry, let us first recall the following 
defining clause for the satisfaction of equality of two logical terms from [6] which follows the 
standard definition of logical equality. First we set, with r h e : a, T h M and an open model 
M = (^,<t), an interpretation of e under M as follows^] 

t*ko = 5to Mk, a = °([Hk,c) Mto = c [[op(e)]]^ a = o P ([[% ) 

which are all standard. Then we define: 

def 

(the definition from [6]) M |= e x = e 2 = Mm ~ Mm (3.9) 



Note that (3.9 1 says that e\ = e 2 is true under an open model M iff their interpretations in M are 



congruent. Now suppose we apply (3.9 1 to the question of la = lb in incUnShared. Since the two 



instances of Inc stored in a and b have the identical denotation (or identical behaviour: because 



they are exactly the same programs), the equality la = lb holds for incUnShared if we use (3.9 1. 
However this interpretation is wrong: we observe that, in incUnShared, running la twice and 
running la and lb consecutively lead to different observable behaviours, due to their distinct local 
states (which can be easily represented using evaluation formulae). Hence we must have la ^ lb, 



which says the standard definition (3.9) is not applicable in the presence of the local state. On 
the other hand, running la and running lb have always identical observable effects: that is we can 
always replace the content of a with the content of b in incShared, hence the equality la = lb 
should hold for incShared. 

The reason that the standard equality does not hold is because two currently identical stateful 
procedures will in future demonstrate distinct behaviour. On the other hand, two identical functions 
which share the same local state always show the same behaviour hence in incShared we obtain 
equality. 

This analysis indicates that we need to consider programs placed in contexts to compare them 

def 

precisely, leading to the following extension for the semantics for the equality, assuming M = 
(v/)&o): 

def 

M\=e l= e 2 = M[u : e{\ « M[u : e 2 ] (3.10) 
where M[u :e] denotes (vl)(E, • u : [[e]]^ a ,CT) with u fresh and the variables and labels in e should 
be free in M. Note that M[w : e] offers the notion of a "program-in-context" when e denotes a 
program. For example let us consider a model for the state immediately after the assignment b :=la 
in incShared. Then the model may be written as (taking a and b to be locations): 

/ a h+ *,().(/:=!/ + 1; !/), \ 

Mincshared = (V/) 0, b *,().(/:=!/ + 1; !/), (3.11) 

\ l^n J 
We obtain (writing the map for a, b, I above as a for brevity): 

M incShared [ M :!a] = (v/)( M :M).(/ :=!/ + !;!/), a) (3.12) 



5 Since a model in [6] does not have local state, it suffices to consider open models. 
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Notice that the function assigned to u shares / in the environment: we are interpreting the derefer- 
ence la "in context". Similarly we obtain: 

M incShared [«:!£] = (vZ)(k:A.().(Z:=!/ + 1;!Z), g) (3.13) 

By which we conclude M lnc shared M a = '^ : if tne results of interpreting two terms in context are 
equal then we know their effects to the model are equal. We leave it to the reader to check the 
inequality between la and lb for the corresponding model representing incUnShared. 

The definition of equality above satisfies the standard axioms of equality as we shall see in 
§ [5j It is also accompanied by a notion of symmetry which can be used for checking (in)equality, 
introduced below. 

Definition 3.5 (permutation). Let M = f (vf) (H, • v : V ■ w : W, a) where M is typed under T and v, w 
have the same type under T. Then, we set: 

MC) = (vl)(^-v.W-w.V,a) (3.14) 

called a permutation ofM.atv and w . We extend the notion to an arbitrary bijection p on dom(r), 
writing M[p]. A permutation p on M is a symmetry on M when M[p] ~ M. 

Proposition 3.6 (symmetries). 

(1) Given Mi ;2 and a bijection p on free variables in the domain 0/M1.2, we have Mi ~ M2 iff 
DVCi[p]«M 2 [p]. 

(2) IfJA\ ~ M2 and p is symmetry of "Mi, then p is symmetry 0/M2. 

Proof. Obvious by definition. □ 

We illustrate how we can use the result above to model the subtlety of equality of behaviours with 
shared local state. Let us consider the following models Mi and M2, which represent the situations 
analogous to incShared and incUnShared (again after running the second assignment). The 
defining clause for equality gives , using Mi [u : v] » Mi [u:w]: 

x < = < w > ( vlfoii^uXw, 1 " °) h v = w (3 - i5) 

On the other hand, we have: 

r -ta ( v:X().(Z:=!Z + l;!Z), 1^0, \ , 
M2 = ( V// )U^0-V:=!/' + l;!h, J hV + W (3 " 16) 

This is because ( MV ) is a symmetry of M2 [u : v], but not of M2 [u : w] . The latter can be examined by 
comparing the following two models (writing "u,w : V" to denote "m :V,w: V"): 

MI , ,,,, / v:X().(/:=!/+l;!/), Z ^ 0, \ 

M 2 [«:w] = (v//)^ M)W ;V().(/':=!/' + l;!Z0, Z'-oJ (3 " 17) 

ctv4- r -wtm u,iii\( u:X().(l;=ll + l;lt), 1^0, \ 

(M 2 [u:w])(J = (vll)l v , w ;i( W . = lll+ i. u% V ^ ) (3-18) 



which differ semantically when e.g. v and w are invoked consecutively. Hence by Proposition 3.6 



([2]), M2 [u : v] 76 M2 [u:w], justifying the above inequality v^w. The permutations also help to prove 
the axioms of equality in § [5] 
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3.3. Semantics of Necessity and Possibility Operators. We define, with u fresh, 

M[u:N] JJ. M' when (JV§, a) Jj (vf ) (V, a') with M = (vf) (£, a) and M' = (v/7) ■ u: V, a') 

where we always assume w is fresh and the variables and labels in N are free in M. The above 
definition intuitively means that M can reduce to M' through arbitrary effects on M by an external 
program: in other words, M! is a hypothetical future state (or "possible world") of M. Then we 
generate M ~> M' by 

(1) M-wM 

(2) if M M and M [u:N]ty M', then M ~» M' 
Thus M-wM' reads: 

M may evo/ve to M' fry interaction with zero or more typable programs. 
Note that ~> is reflexive and transitive . If M ~> M' and M' adds the new domain {x\ . jc n } , then x\..x n 
is its increment and we often explicitly write M^^'M'. 

The semantics of DC says that for any target of evolution, C should hold: 

def 

M^UC = VJVt .(M — * M D DVC |= C) . (3.19) 

Dually we set: 

def 

M^OC = ]M'.(M-»M' A M |=C). (3.20) 



3.4. Semantics of Evaluation Formulae. The semantics of the evaluation formula is given below: 

def 

M^e»e'=x{C} = 3DYC .(DVC[jc : ee) JJ. M A M \=C) 

which says that in the current state, if we apply e to e', then the return value (named x) and the 
resulting state together satisfy C. 

We already motivated the decomposition of the original evaluation formulae [6] into the simpli- 
fied evaluation formulae and the necessity operator from § 2.3 Let us write the original evaluation 
formulae in (6l|25l as {C}e • e' =x{C'}* . Then we can translate this in the present language as: 

{C}emef=x{Cy = 3f,g.(f = e Ag = e 1 AO{C}f»g=x{C'}) 

that is, we interpret e and e' in the present state and name them / and g, and assert that, now or in 
any future state in which C is satisfied, if we apply / to g, then it returns x which, together with the 
resulting state, satisfies C'. The original clause says: 

In any initial hypothetical state which is reachable from the present state and which 
satisfies C, the application of e to e' terminates and both the result x and the final 
state satisfy C'. 

To see the reason why we require □ in the specification of functions , we set: 

M = (yl)(u:X()M, w:X().l:=U + l, 1^5) (3.21) 

We can check that the set of all legitimate hypothetical states from this state (i.e. Mf such that 
M[z : N] JJ. M') can be enumerated by: 

M'/z = (v/)(m:=X().!/, w:X()i:=!Z + l, l^m) (3.22) 

for each m > 5 (since these are essentially all the models reachable from M , as outside programs 
can create new references). 
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Thus we have, for M in ( |3.21| ): 

M !=□*>•() = x{x>5} (3.23) 

which says in any future state where w is invoked, it always returns something no less than 5, which 
is operationally reasonable. 

We can use this formula for specifying the following program: 

. def _, , _ N . 

L = let x = ref (5) m 
let w = A,().!jc in 

let w = A,()jc : = !x+ 1 in 

(/w) ; if x > 5 then t else f 

When the application fw takes place, some unknown computation occurs which may change the 
value of x: but as far as fw terminates, it always returns t. To reach (3.23 1, we need to consider all 
possible Mf with the effect from the outside. Since such M' satisfies (3.22 1, we can conclude the 
program L always returns t (if fw terminates). 



(3.24) 



3.5. Semantics of Universal and Existential Quantification. The universal and existential quan- 
tifiers also need to incorporate local state. We need one definition to identify a set of terms which 
do not change the state of any models. Below M r indicates that M is typable under Y. 

Definition 3.7 (Functional Terms). We define the set of functional terms of type T, denoted 3~ r , or 
often simply 3" leaving its typing implicit, as: 

3" = {N | VM r .(M[« : AT] JJ, M' D M = M'/u)} 

where M/u = (yl) , a) if M = (vf) (£ • u : V, a) ; and M/u = M when u fv(DVC). We write L,L',... 
for functional terms, often leaving their types implicit. 

Above M = M'/u ensures that L does not affect M during evaluation of L in M. Note that values 
are always functional terms. In a context of reasoning for object-oriented languages, a similar 
formulation (called strong purity) is used in [44] for justifying the semantics of method invocations 
whose evaluation has no effect on the state of existing objects. 
Now we define: 

def 

M^Vx.C = VLeJ.(M[i:L]4M'DM'K) (3-25) 

Dually, we have: 

def 

M |= Bx.C = 3L G J.(M[jc:L] 4 M' A M' \= C) (3.26) 

If we restrict L above to a value, then the definition coincides with the original one in [6]. We 
need to extend values to functional terms so that a term can read information from hidden locations 
(cf. the semantics of equality e\ = ei). As a simple example, consider: 

rlpf 

M = (vh,l 2 )(y.h, h^l 2 ,l 2 ^2) 

Under this model, we wish to say M \= 3x.x = ly. But if we only allow x to range over values, this 
standard tautology does not hold for M. Using the functional term ly G 3, we can expand the entry 
x with ly, and we have: 

M[x :!y]^(v/i/ 2 )(jc:/i-y:/i, h ^ h,h 2) = f M' A M'^x = y 
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Thus using a functional term L instead of a value V for a quantified variable is necessary for rea- 
sons similar to those that required modifying the semantics of equality. Universal and existential 
quantifiers satisfy the standard axioms familiar from first-order logic, some of which are studied 
later. 



3.6. Semantics of Hiding. The universal hiding-quantifier has the following semantics. 

def 

M^vx.C = VM'.((vZ)M'wM D M'[x:l] \=C) (3.27) 

where / is fresh, i.e. / fl(M) where fl(M) denotes free labels in M. The notation (vZ)M' denotes 
addition of the hiding of / to M', as well as indicating that I occurs free in M'. M[x : I] adds x : 1 to 
the environment part of M. 
Dually, with I fresh again: 



M^vx.C = 



3M'.((v/)M' M A M'[x :l])=C) (3.28) 

which says that x denotes a hidden reference, say I, and the result of taking it off from M satisfies 
C. 

As an example of satisfaction, let: 

. def 



then we have: 



with 



M = (vZ)({« : A-().(Z :=!/ + 1; !/)}, {/ i 
M h vx.C 



0}) 



Hpf 

C = !x = A □ V7.{!x = i}u • () = z{z =lx A bc=i + l} 



using the definition in (3.28 1 above. To see this holds, let 



M' = {{u : *,().(/ :=!/ + !;!/)}, {/ ^ 0}) 



(3.29) 
(3.30) 
(3.31) 

(3.32) 



def 



We have (vZ)M' = M, and M'[jc : /] |= C. Here M represents a situation where / is hidden and u 
denotes a function which increments and returns the content of /; whereas M' is the result of taking 
off this hiding, exposing the originally local state, cf. [11]. 

Despite x's type being a reference, Vx.C differs substantially from vx.C. The former says that 
for any reference x, which can be either (1) an existing free reference; (2) an existing hidden ref- 
erence reachable through dereferences; or (3) a fresh reference with arbitrary content, the model 
satisfies C. On the other hand, the latter means that for any reference x which is hidden in the 
present model, C should hold: in this case x cannot be a free reference name hence (1) is not in- 
cluded. Similarly for their dual existential versions. 



3.7. Semantics of Content Quantification. Next we define the semantics of the content quantifi- 
cation. Let us write M[x !-► V] for (v/)(£,o[Z h-> V}) with M = (vZ~)(£,a) and = /. In (6l 
(without local state), M |= [!x]C is defined as W.M[x i— > V"] |= C which means that for all content 
of x, C holds. In the presence of the local state, we simply extend the use of values to the use of 
functional terms in the sense of Definition [377] as follows: 

def 

M |= [\e]C = ML G 7M[e ^ L] \= C (3.33) 
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where we write M[e i-> L] for (v/) ^ V]), assuming M = (v/)(5,o), [ej^ = i', (vf)(L£,a) JJ. 

M' and M' ~ (vl)(V,a). Thus we consider an update through the assignment of an external func- 
tional term L to a location in M under local names. With this definition, all the axioms and invariant 
rules in 10 stay unchanged. 



3.8. Semantics of Reachability. We now define the semantics of reachability. Let a be a store and 
S C dom(a). Then the label closure of S in a, written 10(5,0), is the minimum set S' of locations 
such that: (1) S C S' and (2) If I G S' then fl(o(/)) C S'. The label closure satisfies the following 
natural properties. 

Lemma 3.8. For all o, we have: 

(1) S C \c(S,a); Si C S 2 implies \c(Si, a) C 10(52, a); and lc(S,a) = lc(lc(5,a),c) 

(2) lc(Si,a)Ulc(S 2 ,a) = lc(SiUS 2) a) 

(3) Si C lc(S 2 ,a) andS 2 C lc(5 3 ,a), then Si C lc(5 3 ,c) 

(4) there exists a' CO such that \c(S,o) = fl(a') = dom(a / ). 

Proof. (1,2) are direct from the definition. (3) follows immediately from (1,2). For (4), take o' = 
u /eic(5,a)[ ; ^ <*(/)]. Then obviously a' C a and 10(5,0) = fl(a') = dom(a'). □ 

For reachability, we define: 

M h «i e 2 if G lc(fl([[ ei ]] 4i0 ),a) for each (vf)(£,a) « M 

The clause says the set of all reachable locations from ei includes e 2 modulo pa. 



For the programs in § 2.3 ( 5 1, we can check f w c — > x, / r x and / c <^-> z hold under / w : A,Q . (x := 
1), / r : A.().!x, / c : let x = ref (z) in A-().x (regardless of the store part). 

The following characterisation of # is often useful for justifying fresh name axioms. Below 
a = Gi Wa 2 indicates that a is the union of Oi and a 2 , assuming dom(ai) n dom(a 2 ) = 0. 

Proposition 3.9 (partition). JA\= x#u if and only if for some I, V, landGi^, we haveMtz (vf)(cj-M : 
V-x: /, Gi Uc 2 ) swc/j f/jaf lc(fl(V),ai ttla 2 ) = fl(ci) = dom(ai) aw/ / G dom(a 2 ). 

Proof. For the only-if direction, assume M |= x#u. By the definition of (un)reachability, we can set 
(up to pa) M = (vl')(t,-u :V-x:1,g) such that I lc(fl(V),a). Now take Gi such that lc(fl(V),o) = 



lc(fl(V),ai) = fl(ai) = dom(ai) by Lemma 3.8 Note by definition / G" dom(ci). Now let a 



Oi l±la 2 . Since / G dom(a), we know / G dom(a 2 ), hence done. The if-direction is obvious by 
definition of reachability. □ 

The characterisation says that if x is unreachable from u then, up to pa, the store can be partitioned 
into one covering all reachable names from u and another containing x. 

Now we give the full definition of the satisfaction relation. For readability, we first list the 
auxiliary definitions many of which have already been stated before. 

Notation 3.10. 

(a) M[m :e] denotes (v/)(£, • u : Je]]^ a ,a) where we always assume u is fresh and the variables and 
labels in e are free in M. 

(b) M/u denotes (vZ)(£,o) if M = (v2)(£ • u : V,g); and if u g fv(DVC) we set M/u = M. 

(c) M[u:N] M' when (A^,c) ^ (vl')(V,o') and M' = (v//')(§ • M: ^ with M = ( v 0(^ o) 
where we always assume u is fresh and the variables and labels in N are free in M. 

(d) M-wM' is generated by: (1) M~»M; and (2) if M-*Io and M [u : N] J| M', then M-»M'. 
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(e) We write M[e ■-> V] for (v/)(£,a[/ ■-> V}) with M = (vZ)(£,a) and [[e]]^ = /. 

(f) We write M-x : a for M = (vZ)(£-x : a, a) with JVC = (vf)(£,a) where x is not in M and a is 
closed. 

Definition 3.11 (Satisfaction). The semantics of the assertions follows. All omitted cases are by de 
Morgan duality. 

= <?2 if M[m : <?i] ~ M[u : £2]- 



: if VM' . (M ~* M' D M' \= C) . 
C if VL G ^.(JvtfjciL] |M'Dl'K) 
CifVM'.((v/)M' «M d M'[x:l}\=C) 
.C if for all closed types a, M-x : a |= C. 
|C if for each ML £ 9M[e t-> L] \=C. 
-^e 2 if for each (v2)(£,o) « M, [e 2 h,o 6 lc(fl(^i]^ a ),a). 
e' = Z {C} if 3M'.(M[x : ee'] $ M' A M' |= C). 
e' = z{C}@wif 

3jVC.( M[z:ee']|M'Al'K'A 

VM".(M[z : let x = W in let y = ee' in w :=x) JVC" D JVC" « M[z : ()])) 

In the defining clauses above, we assume fv(e,ei j 2,e / ) C fv(JVC), fl(e,ei )2 ,e') C fl(JVC), fv(L) Cfv(M) 
and fl(L) C fl(JVC), as well as well-typedness of models and formulae. 

In Definition |3.11| ([2]) and ([3]) are standard. (|7]) is from [24]. Others have already been explained. In 



(1) 


JVC 


h 


(2) 


JVC 


h 


(3) 


JVC 


1= 


(4) 


JVC 


1= 


(5) 


JVC 


h 


(6) 


JVC 


1= 


(7) 


JVC 


1= 


(8) 


JVC 


1= 


(9) 


JVC 


1= 


(10) 


JVC 


h 


(11) 


JVC 


1= 



(111, the program let x = \w in let y = ee' in w := x first keeps the content of w in x and executes 
the application ee'; then finally restores the original content in w. By JVC" « JVC[z : ()] the resulting 
model JVC" has no state change w.r.t. the original model JVC, this means ee 1 only updates at w up to 

This concludes the introduction of the satisfaction relation for the present logic. The properties 
of models are explored further in the rest of this section and in § [5] 



3.9. Thin and Stateless Formulae. In this subsection, we introduce two kinds of formulae which 
play a key role in the reasoning principles of the present logic, in particular the proof rules discussed 
in the next section. 

The first definition introduces formulae in which the thinning of unused variables from models 
can be done as in first-order logic. 

Definition 3.12 (Thin Formula). Let r h C and y G dom(r) such that y £ fv(C). Then we say that 
C is thin with respect to y if for each JVC typable under r, JVC |= C implies JA/y \=C. We say C is 
thin if under each typing and for each y fv(C), C is thin w.r.t. y. 

In a thin formula C, reference names which do not appear in C do not affect the meaning of C. There 
are formulae which are not thin (we see some examples below) but they are of a very special kind. 
In our experience they never appear in practical reasoning including our reasoning examples in § [6] 
As examples of formulae which are not thin, when an evaluation formula occurs negatively, 
formulae may cease to be thin. Consider the following satisfaction: 

(vll')(u:XQM',x:l,I»l',l'»l) \= <>«•() =z{z = 2} 
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which means that u is a function which might return 2 someday since a value stored in I' can be 
changed via x (for example, by the command !x := 2). When we delete x from the above model, the 
behaviour of u will change as follows. 

(vZ')(«:M).!/'/:l) h Uu*{)=z{z=\] 

since now u always returns 1 when it is invoked. The above judgement entails: 

(vZ')(«:M).!/',/':l) V= 0u.()=z,{z = 2} 

Hence m • () = z{z = 2} is not thin. Similarly <0> □ w • () = z{z = 0} is not a thin formula. 

As noted, formulae which are not thin hardly appear in reasoning; all formulae appearing in §[6] 
are thin; the proof rules always generate thin formulae from thin formulae. We shall however work 
with general formulae since many results hold for none-thin formulae too. 

The following syntactic characterisation of thin formulae is useful. 

Proposition 3.13 (Syntactically Thin Formula). (1) If TV- C, T h y : a and a G {Unit, Bool, Nat}, 
then C is thin with respect to y. 

(2) e = eV/ £ 'i eM e ' an d e#e' are thin. 

(3) IfC,C are thin w.r.t. y, then C AC', CVC", \/x a .Cfor all a, 3x a .C with a G {Unit, Bool, Nat}, 
3x.C, Vx.C, Vx.C, Vx.C, DC, [\x]C and e»e' =x{C'} are thin w.r.t. y. 

Proof. (1,2) are immediate. For (3), suppose C and C are thin w.r.t. y, y fv(C,C') and M |= C AC'. 
Then M |= C hence M/y \= C, similarly for C', hence M/y \=Cf\C. Similarly for other cases. Next 
let C be thin w.r.t. y and M |= vx.C. Then there exists M' such that (vZ)M' « M and M'[x : 1} |= C. 
Then (yl)M' /y « M/j. By assumption, M'[x :l]/y\= C, and hence M/y \= Vx.C, as desired. Next 
let C be thin w.r.t. y. Suppose M\=e»e' = z{C}, i.e. M[z : ee'] 4 M' and M' |= C. Then we have 
M/y[z : ee'\ J| Mf/y. Since C is thin w.r.t. y, we have M' jy \= C, as required. □ 

The next set of formulae are stateless formulae whose validity does not depend on the state part 
of the model, cf. stateless formulae in Il6ll25l. 

Definition 3.14 (Stateless Formula). C is stateless iff C D DC is valid. We let A,B,A',B' , . . . range 
over stateless formulae. 

Proposition 3.15 (Stateless Formulae). (1) For all C, DC is stateless. 
(2) IfC is stateless then C = nC = DDC 



Proof. Both are immediate from the definition, see also § 5.2 for further related results. □ 



The above proposition says that if C is stateless then C holds in any future state starting from the 
present state. The following generalisation of this notion says that the validity of a formula does not 
depend on the stateful part of models except at specific locations. This notion is used by the axioms 
for local invariants later. 

Definition 3.16 (Stateless Formula Except x). We say that C is stateless except x if, whenever 
M |= C and M ~~» M' such that M and M' coincide in their content at x of reference types, i.e. 

(1) M«(v&)(& a); 

(2) OYt' « (vZ fi)(^', a'); and 

(3) o(^{xi)) = a'(^(x,)) for each x ; - G {x}, 

then M! \= C. 
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Definition 3.16 uses the internal representation of models. Alternatively we may define an x- 
preserving term which has the shape: 

let y\ = \x\ in ...let y„ = \x n in let z = N in (x\ :=yi;...;x„ :=y n ',z) (3.34) 

then say C is stateless except x if whenever M\=C and M[m : N] JJ. M' where Af is a x-preserving 
term we have M' |= C. 

Note if x is empty in Definition 3.16 then the third clause is vacuous: hence in this case the 
definition means that for each M such that M |= C we have M ~» M' implies M' |= C, that is C is 
stateless. 

It is convenient to be able to check the statelessness of formulae (relative to references) syntac- 
tically. For an inductive characterisation, we introduce the following notion. As always we assume 
the standard bound name convention. 

Definition 3.17 (Tame Formulae). The set of tame formulae is generated by the following rules: 

• £i = ^2 and e\ ^ £2 are tame. 

• e\ e2 and e\ #e2 are tame. 

• For any C, □ C is tame. 

• if C is tame then Vy a .C, 3y a .C, 3x.C, Vx.C, [!y]C and (!y)C are all tame. 

• if C, C are tame then C AC' and C V C are tame. 

We say that \x is an active dereference in C if C is tame and \x (with x being free or bound) occurs 
neither in the scope of □, [be] nor (!jc). 

The following result (though not used in the present work) is notable for carrying over reasoning 
techniques from the logic for aliasing O. 

Proposition 3.18 (Decomposition). Suppose C is tame. Then there is tame C' such that C = C' and 
C' does not contain content quantifications except under the scope of □ . 

Proof. The proof follows precisely that of J6j §6.1, Theorem 1]. □ 
We can now introduce syntactic stateless formulae. 

Definition 3.19 (Syntactic Stateless Formulae). We say C is syntactically stateless except x if C is 
tame and only names from x are among the active dereferences in C. 

Proposition 3.20. 

(1) IfCis syntactically stateless except x then C is stateless except x. 

(2) If [\x]C is syntactically stateless then C is stateless except x. 

Proof. (1) is by induction of the generation of tame formulae. Base cases and DC are immediate. 
Among the inductive cases the only non-trivial case is quantifications of references. Suppose C is 
tame and contains active dereferences at xy. 

• If the validity of C relies on y (i.e. for some M1.2 which differ only at y we have Mi |= C and 
M2 y= C) then Vy a .C is falsity: if not Vy a .C and C are equivalent. In either case we know C is 
stateless except x. 

• If validity of C relies on y then 3y a .C is truth: if not 3y a .C and C are equivalent. The rest is the 
same. 

• If validity of [\y]C relies on the content of y then [\y]C is falsity: the rest is the same. Similarly 
for(!y)C. 

The cases of C A C' and C V C' are immediate by induction. (2) is an immediate corollary of ( 1). □ 
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4. Proof Rules and Soundness 



4.1. Hoare Triples. This subsection summarises judgements and proof rules for local state. The 
main judgement consists of a program and a pair of formulae following Hoare ifTTl . augmented with 
a fresh name called anchor Il22ll24ll25l . 

{C}M: lt {C'} 

which says: 

If we evaluate M in the initial state satisfying C, then it terminates with a value, 
name it u, and a final state, which together satisfy C'. 
Note that our judgements are about total correctness. Sequents have identical shape as those in 
||6j |25l : the computational situations described is however quite different, in that both C and C may 
now describe behaviour and data structures with local state. 

The same sequent is used for both validity and provability. If we wish to be specific, we prefix 
it with either h (for provability) or |= (for validity). We assume that judgements are well-typed in 
the sense that, in {C} M : u {C} with Fh M : a,F,Ah C and w : a,T, A H C" for some A such that 
dom(A)n(dom(r)U{w}) = 0. 

In {C} M :„ {C}, the name u is the anchor of the judgement, which should not be in dom(r) U 
fv(C); and C is the pre-condition and C is the post-condition. The primary names are dom(i) U {«}, 
while the auxiliary names (ranged over by i,j,k, ...) are those free names in C and C which are not 
primary. An anchor is used for naming the value from M and for specifying its behaviour. We use 
the abbreviation {C}M{C} to denote {C}M : u {u = () AC'}. 

4.2. Proof Rules. The full compositional proof rules and new structure rules are given in Figure[T] 
In each proof rule, we assume all occurring judgements to be well-typed and no primary names in the 
premise(s) to occur as auxiliary names in the conclusion. We write C' x to indicate fv(C) n {x} = 0. 
Despite our semantic enrichment, all compositional proof rules in the base logic [6 ] (and [Rec-Ren] 
from [23]) syntactically stay as they are, except for: 

• adding a rule for the reference generation, 

• revising [Abs] and [App] so they use one-sided evaluation formulae , 

• adding the thinness condition in the post-condition of the conclusion in [Case], [App], [Assign] 
and [Deref] 

The thinness condition is required when the anchor names used in the premise contribute to C in 
the conclusion. The reason for this becomes clearer when we prove soundness . This condition does 
not jeopardise the completeness of our logic. All reasoning examples we have explored meet this 
condition including those in § [6j 

Note that in [Add], since C is always thin with respect to m ; - by Proposition 3.13| ([T]>, we do not 



have to state this condition explicitly. Similarly for [If] since C' is always thin with respect to b. 

[Assign] uses logical substitution which is built with content quantification to represent substi- 
tution of content of a possibly aliased reference 10. 

C{|e2/!ei|} ^ ^ m -( m = e 2 3 [!^i](!^i = m 3 C)). 
with m fresh (we have a dual characterisation by (!ei)). Intuitively C{|e2/!ei|} describes the situa- 
tion where a model satisfying C is updated at a memory cell referred to by e\ (of a reference type) 
with a value e2 (of its content type), with e\ 2 interpreted in the current model. 
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[ yar ] icwl,M v in \- Comt ] sr\riu- \ \r.- ir\ \- Add \ 



{C}Mi :,„, {Co} {C }M 2 : m {C[mi +m 2 /«] } 



{C[x/u}}x: u {C} L ™ J {C[c/"]}c: H {C} ™ {C}Mi +M 2 :„ {C} 

r fai1 {C}M: v {C'[inj 1 (v)/ M ]} , , {C f } M :„, {Cp f } {C [inj,(x,)/m]} M,- :„ {C '*} 
L ' B1J {C} inj^M) : M {C} [LaieJ {C} case M of {in,^) J#,} te{li2} :„ {C} 

rpm . jCjM^lC^TtiHH} {C}M i:m {C } {Co}M 2 : n {C'[(m, »)/«]} 

™ J {C} 7i[ (M) :„ {C'} [Fmn {C}(M U M 2 ): U {C>} 

U h , {A" x? A C} M : m {C'} {C} M : m {C } {C } iV :„ {m.» = u{C'}} 

1 J {A} Ax.M :„ {□ Vxi.({C}« • * - m{C})} [/VJ {C} MN : u {C} 

{C} M : b {Cq} {C [t/fr]} Mj :„ {C} {C [f/fr]} M 2 :„ {C} 



[//] 



{C} if M theiiMj else M 2 :„ {C} 



r f1 {C}M: w |C[!m/«]} , , {C} M :,„ {Cp} {Cp} iV :„ {C'{]n/ !m}} 
[ ^ ere/J {C}!M:„{C} [A ™ g " J {C}M:=N{C} 

[Rec-Ren] 1 J A ''\^-.u{B } {C} M {C} 

1 J {A}rf.Xx.M: u {B[u/f}} 1 {C} ref (M) :„ {vx.(C [!w/m] A m#/ Ah = x)} 

rr , CDCo{C }M: t ,{Co}CoDC / {C}M: t ,{C} M ^fpn( e ) 

ICaitf^j {C}M: M {C} LW {C[e/i]}M: u {C'[e/i}} 

{Co}M:,„{Cq} x fresh; /auxiliary 
„ □VX.Vr.{C U«()=m{C n } 3 □VX.Vr.{C}x»()=m{C'} 

[Coni - £vflZ] {C}M: m {C'} 

We require C' is thin w.r.t. m in [Case] and [Deref\, and C' is thin w.r.t. m,n in [App, Assign]. 

Figure 1 : Proof Rules 



In rule [Ref], u#i indicates that the newly generated cell u is unreachable from any i of arbitrary 
type X in the initial state: then the result of evaluating M is stored in that cellj^Here i is a(ny) fresh 
variable denoting an arbitrary datum which already exited in the pre-state. Just as the standard 
auxiliary variable in Hoare-like logics, this i is semantically bound at the sequent level. In a large 
proof, we may want each instance of [Ref] to use a fresh and distinct variable, even though in 
practice we usually apply the substitution rule discussed below to instantiate this "bound" variable 
into an appropriate expression so name clash may not occurQ 

For the structural rules (i.e. those which only manipulate assertions), those given in [6, §7.3] 
for the base logic stay valid except that the universal abstraction rule [Awxy] in (6l §7.3] needs to 
be weakened as [Awxy] and [Awxy V] in Figure [I] Note that the original structural rule [Aitxy], which 
does not have this condition, is not valid in the presence of new reference generation. For example 
we can take: 

{T} ref (3) : u {u#if\\u = 3} (4.1) 

6 One may write the conclusion of this rule as {C} ref (M) :„ {(C'[!a/m] Am#/ X )} which may be useful for readability. 
In this paper however we intentionally do not introduce this or other abbreviations for the sake of clarity. 

n 

The treatment of a fresh variable as an input binder in [Ref] is useful for mechanisation of reasoning, just like auxiliary 
variables in Hoare triples. 
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which is surely valid. But without the side condition, we can infer the following from (4.1 

{T} ref (3) :„ {\/L(u#iA\u = 3)} 

which does not make sense (just substitute u for i). This is because i cannot range over newly 
generated names: such an interplay with new name generation is not possible if the target program 
is a value, or if i is of base type. 

We also have two useful structural rules added in the present logic. The first rule is [Subs] in 
Figure [T] which can be used to instantiate the fresh variable i in [Ref] with an arbitrary datum. The 
rule uses the following set of reference names. 

Definition 4.1 (Plain Name). We write fpn(e) for the set of free plain names of e, defined as: 
fpn(;t) = {x}, fpn(c) = fpn(!<?) = 0, fpn((<?,<?')) = fpn(<?) Ufpn(e'), and fpn(inj ; (<?)) = fpn(<?). 

In brief, the set of free plain names of e contains reference names in e that do not occur dereferenced, 
as first described in Definition 4. 1 As we shall see later, the side condition for [Subs] using fpn(e) 
is necessary for soundness. 

As an example usage of [Subs] , consider: 

(!z = 2}ref(2) : m {\m = 2Ai#m} (4.2) 

where we take off v by an axiom later. We can then use [Subs] to show: 

{!z = 2}ref(2) : m {!ra = 2Az#ra} (4.3) 

Note m G fpn(m): hence we cannot use m instead of z in ( |4.3[ >, which is obviously unsound. As 
another use of [Subs], consider a judgement: 

{T} (ref (2), ref (2)) : m {bli(m) = 2A!7t 2 (m) = 2 A7ti(m) + 7t 2 (m)} (4.4) 

In order to derive \AA\ , we simply combine ( |4.2| ) with the following judgement: 

{!/n = 2A/#m}ref(2) :„ {!m = 2A!« = 2A j#n} (4.5) 

where we use a different fresh variable j. We can now replace j with m using [Subs], and via [Cons] 
we obtain: 

{!m = 2 A/#m}ref (2) :„ {!m = 2A!« = 2 Am / n} (4.6) 



from which we can infer ( |4.4[ ) by pairing, combined with ( |4.2| ). 

Another significant additional rule is [Cons-Eval], also given in Figure[T] This is a strengthened 
version of the standard consequence rule, and is used when incorporating the local invariant axiom 
of the evaluation formula for derivations of the examples in § [6] Technically, this is a consequence 
of (a) having a proof system by which we can compositionally build proofs; and (b) representing 
fresh generation of references by disjointness from fresh variables. We shall see in examples that it 
is useful in reasoning. 

The full list of structural rules can be found in Appendix [B] 



4.3. Located Judgements. Proof rules which contain an explicit effect set (similar to located eval- 
uation formulae) were introduced in [6] and are of substantial help in reasoning about programs. 
Located Hoare triples take the form: 

{C}M: u {C'}@e 
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where each ei is of a reference type and does not contain (sub)expressions of the form \g |j e is 
called effect set. We prefix it with either h (for provability) or |= (for validity) if we wish to be 
specific. 

The full rules are listed in Figure [4] (proof rules) and Figure [5] (structure rules) in Appendix |B| 
All rules come from ||6l except for the new name generation rule and the universal quantification 
rule, both corresponding to the new rules in the basic proof system. The structures rules are also 
revised along the lines of Figure [T] 



4.4. Invariance Rules for Reachability. Invariance rules are useful for modular reasoning. A 
simple form is when there is no state change: 

1 J {CAC }V: m {C'AC } 
Alternatively if a formula is stateless it continues to hold irrespective of state change. 

{C\ M : m {C'i 

[Inv-Stateless] ^-4- - 

L J {CADC }M: m {C'ADCo} 

When it is formulated with (un)reachability predicates, however, one needs some care. Since reach- 
ability is a stateful property, it is generally not invariant under state change. For example, suppose x 
is unreachable from y; after running y := x, x becomes reachable from y. Hence the following rule 
is unsound. 

{C} M : m {C'| 

[Unsound-Inv] , . (unsound) 

{C Ae#e } M : m \C Ae#e ) 

From the following general invariance rule [Inv], we can derive an invariance rule for #. 

r/ 1 {C} M : m {C'}@w Co is tame 
L nVi {CA[\w]C }M: m {C'A[!w]Co}@w 

In [Inv], the effect set w gives the minimum information by which the assertion we wish to add, Co, 
can be stated as an invariant since [!w]Co says that Co holds regardless of the content of w. Thus 
Co can stay invariant after execution of M. Unlike the existing invariance rules as found in standard 
Hoare logic or in Separation Logic |[56l . we need no side condition "M does not modify stores 
mentioned in Co": C and Co may even overlap in their mentioned references, and C does not have 
to mention all references M may read or write. 
The following instance of [Inv] is useful. 

r , {C} M : m {C'}@x no dereference occurs in e 
[nV ~ J {CAx#e} M : m {C Ax#e}@x 



In [Inv-#], we note [!x].x#e = x#e is always valid if e contains no dereference \e, cf. Proposition 5.9 
3-(5) later. Hence x#e is stateless except atx. The side condition is indispensable: consider {T}x := 
x{T}@x (which is typable with recursive types), which does not imply {x# \x}x := x{x# !x}@x. 

One of the important aspects of these invariance rules is that the effect set of a located judge- 
ment or assertion can contain a hidden name - a name which h as b een created and which is (par- 
tially) accessible. For example, we can infer (using [LetRef] in § 6.1 1:^] 



{\y =h} let x= ref (2) in ly =x :„ {vx.(lh = xA\x = 2A\y = h Ax#i)}@h 



This restriction is for a simplification of the interpretation, and can be taken off if e is interpreted in the pre-condition. 
^Since \y is stated in the pre-condition, we can also write {T} let x = ref (2) in \y = x :„ {vx.(lx = 2A\\y = 
xAx#i)}@\y, cf. footnote ^ 
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4.5. Soundness. Let M be a model (v/)(^,c) of type T, and r h M : a with u fresh. Then validity 
\= {C}M : u {C'} is given by (with M including all variables in M, C and C except u): 



def 



3.11 



def 



|= {C}M :„ {C 1 } = VM.(M |= C D (M[w:M] |M'aM'^ C')) 

c). This is equivalent to, with V 

(4.7) 



where the notation M[m :N] JJ. M' appeared in Definition 
A.().M: 

VM.(M[/n : V] |= □ {C}m • () = m{C'}) 
Similarly the semantics of the located judgement: 

\={C}M: U {C}@x (4.8) 
is given through the corresponding located assertion, using the following term (let z be fresh): 

def 

V = letz = ref(O) in if !z = then let m = M in (z:=!z+l;m) else D (4.9) 

where II is a diverging closed term (in fact any closed program works). The use of z is to pre- 
vent leakage of information from m after the evaluation: after evaluation m can never reveal any 
information thus it is the same thing as evaluating M once. 
With this V we set the definition of ( |4.8[ ) as follows: 

VM.(M[m: V] |= □{C}m. () = M {C'}@f) (4.10) 

Among the proof rules the only non-trivial addition from the preceding systems (in fact the only dif- 
ference) is the rule for reference generation. For its soundness we use the free plain names as defined 
in Definition 4.1 (recall fpn(e) is the set of reference names in e that do not occur dereferenced). 
For free plain names we note: 

Lemma 4.2. Let u ^ fpn(e). Then for all M, with u fresh, we have: JA[u : ref (M)] 4- M' implies 
M'^u#e. 

Proof Suppose M = (v/)(£,o) and M[w:ref (M)} 4 M'. Then M' = (v/7)(^ • u : I, a- [I ^ V}) with 
u (£ fv(Q, / fl(a,4) and (vfo)(M^,a ) JJ- (v/o)(V,o). Then one can check [[i\}^. U :i,a-[i^v} = Mha 
andp]]^ a ^lc(/,a-[/^y]) = lc(/,[/^y]). ' □ 

We can now establish: 

Theorem 4.3 (Soundness), h {C}M :„ {C} implies \= {C}M : u {C}. 

Proof. Except [Ref, all rules precisely follow [6, §8.2] (except for the use of thinness which allows 
the same reasoning as in [6, §8.2] to go through). For [Ref], we have, with / fresh: 



M^C =► M[m:M]P' A M'\=C 

=> M[m:M][w:ref(m)]4(v/)M" A M"\=C A \u = m 

withM" = f M' [u:l][l ^V] 

M[w:ref(M)] JJ- (vl)M"/m A M"/m \= C'[\m/u] A u#i 
=^ M"/m[x : I] \= C'[\mju\ A u#i A x = u 

(vl)M"/m \= \x.{C'[\m/u] A u#i A x = u) 

See Appendix B.l for the full proofs. 

Theorem 4.4 (Soundness), h {C}M :„ {C'}@e implies \= {C}M :„ {C'}@e. 



Hypothesis 



Lemma [4.2l 



□ 



Proof. As above (and for remaining rules as in |6l §8.2]). See Appendix B.l for [Ref] and the 
invariant rules. □ 
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5. Axioms and Local Invariants 
This section studies the basic axioms for the logical constructs, including those for local state. 

5.1. Axioms for Equality. Equality, logical connectives and quantifiers satisfy the standard axioms 



(quantifications need a modest use of thinness, see Proposition 5.8 later). For logical connectives, 
this is direct from the definition. For equality and quantification, however, this is not immediate, 
due to the non-standard definition of their semantics. 

First we check the equality indeed satisfies the standard axioms for equality. We start from the 
following lemmas. C[u/v;v/u] denotes a simultaneous substitution. 

Lemma 5.1. Let M have type T. 

(1) (injective renaming) Let u,v G dom(r). Then M \= C iffM[u/v\ v/u] \= C[u/v;v/u]. 

(2) (permutation) Let u,v£ dom(r). Then we have M \= C iff r)M \= C[u/v;v/u\. 

(3) (exchange) Let u,v fv(e,e'). Then we have M.[u : e][v : e'] \= C iff M[v : e'][u : e] \= C. 

(4) (partition and monotonicity) Let M = (v/)(^,a) be of type T and M' = (v/iP)(£, ■ £,',o ■ o') be 
such that (fl(a') U fl(£')) n {/} = 0. Further let FhC. Then M\=C iffMf \= C. In particular 
with u fv(C) we have M [= C iffM[u : V] \= C. 

(5) (symmetry) M \= e\ = ei iff for fresh and distinct u,v: M,[u:ei][v:e2] ~ M[w:e2][v:ei]. 

(6) (substitution) JA[u:x][v.e\ ~J^[u\x][v\e[u/x\\; and"M\u\e\[v\e'} ~ Mfwiejfv^'fe/w]]. 

Proof. All are elementary, mostly by (simultaneous) induction on C. □ 

In Q above, note that the extended part in M' on the top of M may refer to free labels of M but 
(since M is a model) no labels in M can ever refer to (free or bound) labels in M'. 
We are now ready to establish the standard axioms for equality. 

Lemma 5.2. (axioms for equality) For any model M and x, y, z and C: 

(1) M\=x = x, M\=x = y D y = x and M |= (x = y Ay = z) D x = z. 

(2) M |= (C(x,y) Ax = y) D C(x,x). 

where C(x,y) indicates C together with some of the occurrences ofx andy, while C(x,x) is the result 
of substituting x for y, i.e. C(x,y)[x/y] see K33\ $2.4]. 

Proof. For the first clause, reflexivity is because M[u :x] »M[m:i], while symmetry and transitivity 
are from those of For the second clause, we proceed by induction on C. We show the case where 
C is e\ = ^2- The case C is e\ e2 is straightforward by definition. Other claims are by induction 
on C. 

It suffices to prove M |= x = y and M\=C imply M |= C[x/y], 

M \=x = y ^M[u:x][v:y] ss M[u:y][v:x\ (5.1) 
^M[u:x}[v:y}[w:ei} fnM[u:y][v:x][w:ei\ (5.2) 
Here (5.1 1 is by Lemma 5.1|5 and ( |5.2[ ) follows from the congruency of 



M[«:x][v:y][w:^] w M[M:x][v:y][w:e ; [v/y]] (Lem. [STTp])) 



■M[u:y][v:x][w:ei[v/y]] (5.1 1 



■ M[w : y] [v : x] [w : e t [v fx] [v /y] } (Lem. \5l^) 



■ M[u : y] [v : x] [w : e t [x jx\ [x /y\ ] (Lem. [57T]|6]>) 



■M[w: ei[x/x\ [x/y]} [u:y] [v :x\ (Lem. [5TTpl» 
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M\=ei = e 2 =>M[u:x][v:y] \=e\=e 2 (Lem. [57TJj4j» 

=>• M[w:x][v:y][w:ei] x M,[u:x}[v:y][w:e 2 } 

Thus we get 

M[w:ei[x/x][x/.y]][w:;y][v:x] x M[j<:x][v:;y][w:ei] 

x M.[u:x][v:y] [w:e 2 ] 
x M.[w:e 2 [x/x\[x/y]][u:y][v.x\ 

This allows to conclude to: 

M[w:ei[x/x][x/.y]] x M[w:e 2 [x/x][x/y]] 
which is equivalent to M |= C(x,x), as required. □ 

5.2. Axioms for Necessity Operators. We list basic axioms for Necessity and Possibility Opera- 

def 

tors. Below recall that <>C = -.(CHC). 
Proposition 5.3 (Necessity Operator). 

(1) □ (d D C 2 ) D DCi D OC 2 ; DC D C; DDC = DC; CD (>C. Hence DC D OC. 

(2) (permutation and decomposition) 

(a) Dei = ^2 = ei = £2 arcc? Dei ^ e 2 = e\ ^ e 2 if ei does not contain dereference. 

(b) D(Ci AC 2 ) = DCi ADC 2 . 

(c) DCi VDC 2 DD(Ci VC 2 ). 

(d) nvx.CDVx.nc wnvx.nc = nvx.c. 

(e) 3x.DC D □ 3x.C and O 3x a .C = 3x a .OC with a G {Unit, Bool, Nat}. 

(f) □vi.Cew.DCWvi.DCdDvi.C. 

(g) □3x.C = 3x.nc,-anrfnVx.C = Vx.nc. 

(h) □ [lx]C = [lx]nc = DC ara<i (!x)DC = DC D □ (Uc)C 

Proof. See Appendix |C. 2 □ 



By the second axiom in (d), we can derive fresh = fresri3 in the last example of § 2.3 



The following proposition clarifies the interplay between DC and evaluation formulae, and is 



useful in many examples. Recall below that e • e' f|~ (defined in Notation 2. 1 1 means the application 
leads to the divergence. 

Proposition 5.4 (Perpetuity). Withzfresh, OC = Vx, Y./ x ^ Y .x x .(/»x Jjo f»x = z{OC}). Again 
with z fresh, OC = Vx, Y./ x= * y .x x .(/«x4d /«x = z{C}). 

Proof. Throughout we use OC = OOC. For the first equivalence suppose M \= OC and JA[f : 
L][x : L'][z : /x] Jj. M'. Then step by step we reach M' f= DC by the definition of OC. For the 
other direction, suppose M |= DC and for all N,N', we have JA[u :N][w : N'] JJ. M'. By assumption 
M[f : A.QJV] [z : /()] [w : N'] ^ M' such that JVC \= C with M ~> M'. Since M[m : N] [w : iV] |= C, we 
have M[m : N] \= OC, as required. For the second equivalence, the "only-if" direction is immediate, 
while the "if" direction is proved as in the previous "if" direction, observing that we can combine 
an arbitrary number of applications into a single one. □ 



30 



N. YOSHIDA, K. HONDA, AND M. BERGER 



The first logical equivalence of Proposition 5.4 allows us to say that if DC holds and if a procedure 
is executed and if the evaluation terminates then □ C (hence in particular C) holds again. In essence, 
this is why a specification using DC (or the equivalent) is useful: it allows us specify a behaviour 
which holds regardless of execution of other procedures and resulting state change. The second 
logical equivalence shows that, in addition, we can in fact define □ C via evaluation formulae (which 
in fact directly corresponds to the semantics of DC in §[3]). 

Next, the following proposition says that located assertions are derived constructs, definable by 
combining non-located assertions and content quantification. 

Proposition 5.5 (Decomposition of Located Evaluation Formula), x • y = z{C}@w = 
VH Unit ^ Unit .(Hi()|D x »y = z{C A (!w)b«()^}) 

Proof. In the following discussions we consider w to be a singleton w for simplicity. First assume 
the left-hand side holds for a model say M. Then the application only changes the content of w, 
hence if u • () ^ then by restoring the content of w we again have u • () JJ-- Secondly assume the 
right-hand side holds but the left-hand side does not. Then there must be some u which uses this 
difference at w to change its diverging behaviour, hence a contradiction. □ 

This decomposition uses content quantification to define located evaluation formulae where the 
effect set is restricted to specified finite locations. We can generalise located assertions to those 
which can specify the range of effects by formulae, which is sometimes useful. Such formulae can 
also be decomposed in the same way using an extended form of content quantification. 

5.3. Axioms for Hiding. Next we list basic axioms for hiding quantifiers. The most convenient ax- 
iom is about the elimination of hiding quantifiers, introduced by reference generation. To formulate 
this, we need some preparation. 

Definition 5.6 (Monotone/ Anti-Monotone Formulae). C is monotone if M |= C and / fl(C) imply 
(v/)M |= C. C is anti-monotone if -C is monotone. 



The proof of the following proposition is similar to Proposition 3.13 

Proposition 5.7 (Syntactic Monotone/Antimonotone Formulae). 

(1) T, F, e = e', e ^ e', e e' and e#e' are monotone. 

(2) IfC,C are monotone, then C AC' CVC', \fx a .Cfor all a, 3x a .C with a G {Unit, Bool, Nat}, 
3X.C, Vx.C, Vx.C, Vx.C, DC, [\x]C, and e»e' =x{C'} are monotone. 

(3) The conditions exactly dual to 1 and 2 give antimonotone formulae. 

Proposition 5.8 (Axioms for V, 3 and v). Below we assume there is no capture of variables in types 
and formulae. 

(1) (introduction) C D Vx.C ifx fv(C) 

(2) (elimination) vx.C = C ifx fv(C) and C is monotone. 

(3) For any C we have C D 3x.C. Given C such that x fv(C) and C is thin with respect to x, we 
have 3x.C D C. 

(4) For any C we have Vx.C D C. For C such that x fv(C) and C is thin with respect to x, we have 
C D Mx.C 

(5) Vx.(Ci AC 2 ) D Vx.Ci Avx.C 2 . 

(6) Vx.(Ci VC 2 ) = Vx.Ci Wx.C 2 . 

(7) vy.Vx.C D Vx.vj.C 

(8) Bx.vy.C D vy.Bx.C and 3x a .vy.C = vy.3x a .C with a £ {Unit, Bool, Nat}. 
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(9) vy.vx.C D vx.vy.C; and vy.vx.C = vx.vy.C. 

(10) vy.Bx.C = Bx.vy.C; andvy.Vx.C D Vx.vy.C. 

(11) vy.[\x]CD [\x]vy.C andvy.(\x)C D (\x)vy.C 



Proof. See Appendix |C.4| □ 



For (1) and (2), it is notable that we do not generally have C D Vx.C even if C is thin. Neither 
Vx.C D C with x fv(C) holds generally. 

del 

For the counterexample of C D Vx.C without the side condition, let M = ({x : I, x' : I}, {I 
5} ) . Then M\=x = x' but we do not have M |= vy.y = x' since / is certainly not hidden (x is renamed 
to fresh y to avoid confusion). 

Hef 

For the counterexample of Vx.C D C with x fv(C), let M = (vl)({u:X()M}, {/(->• 5}). Then 
we have: 

M !=□«•() = z{z = 5} 

Also we have: 

M^(vx)^ M .()= z {z = 0} 
with M[jc : /] |= 0« • () = z{z = 0}. If we apply vx.C = C to the above formula, we have M |= 
<>«•() = z { z = 0}, which contradicts M \= □ {T}k«() =z{z = 5}. 

Note this shows that integrating these quantifiers with the standard universal and existential 
quantifiers lets the latter loose their standard axioms, motivating the introduction of the v-operator : 



from Proposition 5.8 (1,2,3), either 3x.C D Vx.C or vx.C D 3x.C (with x typed by a reference type) 
does not hold in general (if x g" fv(C) and C is thin, then 3x.C DCD Vx.C; and if x fv(C) and C is 
monotone, then vx.C DCD 3x.C). 



The content quantifiers also have useful axioms. Appendix C.3 lists a selection 



5.4. Axioms for Reachability. We start from axioms for reachability. Note that our types include 
recursive types. 

Proposition 5.9 (axioms for reachability). The following assertions are valid. 

(1) (l)x-^x; (2)x^yAy^z, D x^z; 

(2) (l)y#x a with a G {Unit, Nat, Bool}; (2) x#y x / y; (3) x#w A w ^ u D x#u. 

(3) (l)(jci,JC 2 )^y = xj ^ y vx 2 ^y; (2) inj,.(x) ^y = x^y; (3) x y Ref («) D x 



!.v; 



(4) x Ref(a) ^ ^ Ax _^ ^ jjj^y. [jjpj-y ^ x = -y ^ x [!x]x#y = x#y. 



Proof. 1, 2 and 3.( 1 — 4) are direct from the definition (e.g. for 3-(2) we observe / G fl(inj ( -(V)) iff 
/ G fl(V)). For 3-(5), suppose M |= y <— » x, and take M' which only differs from M in the stored value 
at (the reference denoted by) x. Since M |= y x holds, there is a shortest sequence of connected 
references from y to x which, by definition, does not include x as its intermediate node. Hence this 
sequence also exists in M', i.e. M' |= y x, proving [lx]y ^ x = y x. Similarly, we can prove 
[!x]x#y =x#y. □ 

3-(5) says that altering the content of x does not affect reachability to x. Note [!x]y#x = y#x is not 



valid at all. 3-(5) was already used for deriving [Znv-#] in §4.2 (notice that we cannot substitute !x 
for y in [!x]x#y to avoid name capture |f6ll). 

Let us say a is finite if it does not contains an arrow type or a type variable. We say e > e' is 
finite if e has a finite type. 

Theorem 5.10 (elimination). Suppose all reachability predicates in C are finite. Then there exists 
C' such that C = C and no reachability predicate occurs in C'. 
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Proof. By Proposition 5.9 See Appendix C.5 □ 

The elimination of reachability predicates crucially uses type information in logical terms: as a 
simple example consider x y where x has type Ref (Ref (Nat)) and y has type Ref (Nat). Then we 
have x y = ! be = y. The precise inductive elimination rules are given in Appendix |C .5 \ 

For analysing reachability with function types, it is useful to define the following "one-step" 
reachability predicate. Below ej is of a reference type. 

M |= e x > e 2 if [eal^a G flCM^) for each (vf)(£,c) « M (5.3) 

The predicate / > V means V occurs in any =-variant of the program /. 
The following is straightforward from the definition. 

Proposition 5.11 (Support). (v/)(£,o) \=x>l' iff I' € D{fl(V) | V £(x)}. 

The latter says that I' is in the support 1121 I5T1 1591 of x. 

We set x >" y for « > by: 

x>°y = x = y 
x>'y = x\>y 
x> n+l y = 3z-{x\>z A !z>"y) (n>l) 
By definition, we immediately observe: 

Proposition 5.12. x ^ y = 3«.(x > n y) = (x = y V x >y V 3z.(x> z Az / y Az y)). 

Proposition |5.12 combined with Theorem 5.10| suggests that if we can clarify one-step reachability 
at function types then we will be able to clarify the reachability relation as a whole. Unfortunately 
this relation is inherently intractable. 

Proposition 5.13 (undecidability of > and «-►). (1) M \= Ox is undecidable. (2) M |= 

Proof. For (1), let V = XQ.if M= () then I else Ref(O) with a closed PCFv-term M of type Unit. 
Then / : V, x : I \= f > x iff M JJ-, reducing the satisfiability to the halting problem of PCFv-terms. 
For (2), take the same V so that the type of / and x is Ref (Nat) in which case D> and <— > coincide. □ 



The same result holds for call-by-value Pr|-equahty. Proposition 5.13 indicates inherent in- 
tractability of > and 

However Proposition 5.13 does not imply that we cannot obtain useful axioms for (un)reacha- 
bility at function types. Next, we discuss a collection of axioms with function types. First, the 
following axiom says that if x is unreachable from /, y and w, then the application of / to y with the 
effect set w never exports x. 

Proposition 5.14 (unreachable functions). For an arbitrary C, the following is valid with i and X 
fresh: 

n{C Ax#fyw}f*y = z{C'}@w D DVx,/ x .{C Ax#fiyw}f*y =z{C Ax#fiyzw}@w 
Proof. See Appendix |C.6| □ 
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5.5. Local Invariants. We now introduce an axiom for local invariants. Let us first consider a 
function which writes to a local reference of base type. Even programs of this kind pose fundamental 
difficulties in reasoning, as shown in ll34ll . Take the following program: 

def 

compHide = let x = ref (7) in Xy.(y >\x) (5.4) 

The program behaves as a pure function Xy.(y > 7). Clearly, the obvious local invariant \x = 7 
is preserved. We demand this assertion to survive under arbitrary invocations of compHide: thus 
(naming the function u) we arrive at the following invariant: 

def 

C = \x = l A nVy.{\x = l}u»y = z{\x = l}@% (5.5) 



Assertion (5.5 1 says: (1) the invariant \x = 1 holds now; and that (2) once the invariant holds, it 
continues to hold for ever (note x can never be exported due to the type of y and z, so that only u 
will touch x). Using this assertion, compHide satisfies the following with i fresh: 

{T} compHide : u {\x.(x#i x A Co A C])} (5.6) 

def 

Ci = □ Vy.{!x = 7}w.y = z{z = (y >7)}@0. (5.7) 

Thus, noting Co is only about the content of x (in fact it is syntactically stateless except x in the sense 
of Definition 3.19[ we can conclude Co continues to hold automatically over any future computation 
by any programs. Hence we cancel Co together with x: 

{TjcompHide : u {DVy.M* y = z{z = (y> 7)}} (5.8) 

which describes a purely functional behaviour. 

Now we leave the example and move to the general case, stipulating the underlying reasoning 
principle as an axiom. Let y,z be fresh. We define: 

def 

\nv(u,C ,x) = C A (nVyi.{Co}u»y^nNyi.{C }u»y=z{C A x#z}) (5.9) 

where Co D x#iy. \nv(u,Co,x) says that currently Co holds; and that if Co holds, applying u to y 
results in, if it ever converges, Co again and the returned z is disjoint from x. The axiom also uses: 

def 

x — * y = Vz.(x ^zDze {y}) (5.10) 

Thus x ^* y says that all references reachable from x are inside {y}. We write x ^* y for the 
conjunction A,-*, y. The axiom follows. 

Proposition 5.15 (axiom for information hiding). Assume Cb= C' Ax#iy/\g ►* x, C is stateless 
except x, C is antimonotone, C' is monotone, i,m are fresh and {x,g} H (fv(C,C) U{w}) = 0. Then 
the following is valid: 

(AIH) \fX.\fi x .m»()=u{(vx.3g.E l )AE} D Vx.V/ x .m. () = u{E 2 AE} 

with 

def _ 

• E\ = lnv(«,C ,x) An\/yi.{C AC}u»y = z{C'}@wx 

def 

• E 2 = n\/y.{C}u»y = z{C'}@w and 

• E is an arbitrary formula. 

Proof. See Appendix |C.7| □ 
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(AIH) is used with the refined consequence rule [Cons-Eval] (cf. Figure [T]) to simplify from E\ to Ei, 



eliminating hidings. Its validity is proved using Proposition |3.9| The axionrjsays: 



if a function u with fresh reference Xj is generated, and if it has a local invariant Cq 
on the content ofxj, then we can cancel Co together with x\. 
Note that: 

• The statelessness of Co except x ensures that satisfaction of Co is not affected by state change 
except at x; and 

• The quantification 3g.E\ of g in (AIH) allows the invariant to contain free variables, extending 
applicability of the axiom, for example in the presence of circular references as we shall use in 
§[6]for saf eEven. g ^* x ensures that g are contained in the x-hidden part of the model. 

Coming back to compHide, we take, for (AIH): 

(1) C to be \x = 7 which is syntactically stateless except x; 

(2) Co tobeC Ax#/; 

(3) s and w empty, 



(4) both C and E to be T (which is anti-monotonic by Proposition 5.7 and 

(5) C' to be z = (y > 7) (which is monotonic by the same proposition), 
thus arriving at the desired assertion. 

(AIH) eliminates v from the post-condition based on local invariants. The following axiom also 
eliminates vx, this time solely based on freshness and disjointness of x. 

Proposition 5.16 (v-elimination). Let x fv(C) and m, i, X be fresh. Then the following is valid: 
Vx,i x .m»()=u{vx.([\x]CAx#ui x )} D m»() = u{C} (5.11) 



Proof. See Appendix |C.8| □ 

This proposition says that if a hidden (and newly created) location x in the post-state is disjoint from 
any asserted data including the used function itself and those in the pre-state, then we can safely 
neglect it (in this sense it is a garbage collection rule when we are not concerned with newly created 
variables). 

The following axiom stipulates how an invariant can be transferred^ a function (caller) which 
uses another function (callee) when the latter only affects a set of references unreachable from the 
former. 

Proposition 5.17 (invariant by application). Assume Co is stateless except at x, Co D x#y and y 
fv(Co). Then the following is valid. 

(n\Jy.{C }f.y = z{C }@x A U{C}g.f = z{C'}) D n{CAC Q Ax#g}g.f = z{C AC / } 

Proof. See Appendix |C.9| □ 

The axiom says that the result of applying a function g disjoint from each local reference x, in x, to 
the argument function / which satisfies a local invariant exclusively at x, again preserves that local 
invariant. 



Proposition 5.17 may be considered as a higher-order version of Proposition 5.14 and in fact is 



closely related in that both depend on localised effects of a function at references. 



10 We believe that the monotonicity of C' and anti-monotonicity of C are unnecessary in Proposition 5.15 though the 
present proof uses them. 
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6. Reasoning Examples 
This section demonstrates the usage of the proposed logic through concrete reasoning examples. 

6. 1. New Reference Declaration. We first show a useful derived rule given by the combination of 
"let" and new reference generation. 

{C}M: m {Co} {C [\x/m]Ax#e}N: u {C} x^fpn(e) 
[ e efl {C} let x = ref (M) iniV : u {vx.C 1 } 

where C is thin w.r.t. m. Above fpn(e) denotes the set of free plain names of e which are reference 



names in e that do not occur dereferenced, given in Definition 4.1 The meaning of x#e was given 

in Notation |2.1 1 in § |2.3[ The rule reads: 

Assume (1) executing M with precondition C leads to Co, with the resulting value 
named m; and (2) running N from Co with m as the content of x together with 
the assumption x is unreachable from each e;, leads to C' with the resulting value 
named u. Then running let x = ref (M) in N from C leads to C' whose x is fresh 
and hidden. 

The side condition x fpn(e,) is essential for consistency (e.g. without it, we could assume x#x, 
i.e. F); and vx.C' cannot be strengthened to x#i A C since N may store x in an existing reference. 
The use of general e is also essential since the we can start from total disjointness (separation) and 
reach possibly partial disjointness in the conclusion. For this purpose we need to have explicit x#e 
initially, which may possibly be weakened in the post-condition C through the actions in N. 

The rule directly gives a proof rule for new reference declaration 1341 1481 1561 . new x ; — M in N, 
which has the same operational behaviour as let x = ref (M) in N. 

We can derive [LetRef as follows. Below i is fresh. 

1. {C} M : m {C } (premise) 



2. {C [\x/m]Ax#e}N: u {C} 


with x $ 


!fpn(e) 


(premise) 


3. {C} ref(M) :, {vy.(C [\x/m] 


Ax#iAx 


= y)} 


(l,Ref) 


4. {C} ref(M) {vy.(C [\x/m\ 


Ax#eAx 


= y)} 


(Subs «-times) 


5. {C [!x/m] Ax#eAx=y}N: l 


, {C'Ax = 


y} 


(2, Invariance) 


6. {C} let x = ref (M) in N : u 


{vy.(C'A 


x = y)} 


(4,5,LetOpen) 



7. {C} let x = ref (M) in N : u {vx.C} (Conseq) 
[LetOpen] is the rule for let to open the scope: 

{C} M : x {vy.Co}®^! {C } N : u {C}@e 2 
e peril letx=MinN { V y.C'}@eie 2 

where C is thin w.r.t. x. [LetOpen] and [Subs] (both rules being for located judgements) are found 
in Figure [6]in Appendix |B"1 and their soundness is proved in Appendix B.3 
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6.2. Shared Stored Function. We present a simple example of hiding-quantifiers and unreacha- 
bility using incShared in ( 1.2) from §[T] 

Hpf 

incShared = a := Inc;b :=\a;c\ := (!a)();c 2 := (!&)(); (!ci+!c 2 ) 

def 

with Inc = let x = ref(O) in A,().(x :=\x+ 1; \x). Naming it u, the assertion vx.inc (u,x,n) 
(defined below) captures the behaviour of Inc: 

def _ 

inc(jc,«) = □Vj'.{!x = j}u»Q = j+l{\x = j+l}@x. 

// \ def . . 

inc (u,x,n) = \x = n A mc[x,u). 

The following derivation for incShared sheds light on how shared higher-order local state can be 
transparently reasoned in the present logic. For brevity we work with the implicit global assumption 
that a, b, c\ , c 2 are pairwise distinct and safely omit an anchor from judgements when the return value 
is of unit type. 

1. {T} Inc : u \yx.'mc!{u,x,0)} 



2. {T} a := Inc {vx.inc'(!a,x,0)} 






(1, Assign) 


3. {inc'(!a,x,0)} b :=\a {inc'(!a,x 


0) A 


nc'(!fc,x,0)} 


(Assign) 


4. {inc'(!a,x,0)}ci := (!a)() {inc' 


\a,x 


l)A!ci = 1} 


(Assign) 


5. {inc'(!V,l)}c 2 := 0&)() {inc' 


(lb,x 


2)A!c 2 = 2} 


(App etc.) 


6.{!c 1 = lA!c 2 = 2}(!c 1 ) + (!c 2 ) 


u {U 


= 3} 


(Deref etc.) 


7. {T} incShared :„ {vx.u = 3} 




(2- 


6, LetOpen) 


8. {T} incShared :„ {u = 3} 






(Conseq) 



Line 1 is by [LetRef]. Line 8 uses Proposition |5.8L 2), vx.C D C. 

To shed light on how the difference in sharing is captured in inferences, we list the inference 
for a program which assigns distinct copies of Inc to a and b, 

def 

incUnShared = a := Inc;& := Inc;ci := (!a)();c 2 :=(!&)(); (!ci + !c 2 ) 
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This program assigns to a and b two separate instances of Inc. This lack of sharing between a and 
b in incUnShared is captured by the following derivation: 

1. {T} Inc : m {vx.inc(w,x,0)} 

2. {T} a := Inc {vx.\nc(la,x,0)} 

3. {inc(!a,x,0)} b := Inc {vy.inc'(0,0)} 

4. {inc'(0,0)} zi := (!a)() {inc'(l,0)A!zi = 1} 

5. {inc'(l,0)} z 2 := (!&)() {"nc'(l, l)A!z 2 = 1} 

6. {!z 1 = lA! Z2 = l}(! Zl ) + (! Z2 ) : u {u = 2} 

7. {T} incUnShared :„ {vxy.u = 2} 

8. {T} incUnShared : u {u = 2} 

def 

Above \nc'(n,m) = \nc(\a,x,n) A \nc(lb,y,m) Ax ^=y. Note x / y is guaranteed by [LetRef]. This 
is in contrast to the derivation for incShared, where, in Line 3, x is automatically shared after 
"ft :=!a" which leads to scope extrusion. 

6.3. Memoised Factorial. Next we treat the memoised factorial ( |1.4[ ) (from fl49l ) in the introduc- 
tion. 

def 

memFact = let a = ref (0), ft = ref(l)in 

Ajc.if x =\a then \b else (a := x; b := f act(x) ; \b) 
Above f act is the standard factorial function. 

Our target assertion specifies the behaviour of a pure factorial. 

def 

Fact(u) = nVx.u»x = y{y = x!}@0. 
The following inference starts from the let-body of memFact, which we name V. We set: 

def _ 

Ei a = \J\fxi.{C }u»x=y{C Aab#y}@ab 

def 

En, = nVxi.{C AC}u»x=y{C'}@ab 

and we set Co to be ab#ix A \b=(\a)\, C to be T, and C' to be y = x\. Note that \b={\a) \ is stateless 
except ab by Proposition |5.9[ 5); and that, by the type of x and y being Nat and Proposition |5.9| 2-(l), 
we have ab#x = ab#y = T. 
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We can now reason: 
l.{T}O: a {a = O}@0 

L J u L J 


(Const) 


2.{a = 0} 1 : b {b = a\}@% 

L J u I J 


(Const) 


3 -fTl V • -fnVr; -frnT/y • r — A;-fr n A r"\\(3>0) 

J . T 1 j r • W I 1 — ' ft* w A — y\^0 ' ' |f ** 


f AhO 


A.{l}V: u {E la AE lb }@% 


(3, Conseq) 


5.{ab#iA\b=(\a)l} V : u {ab#iA\b = (\a)lAE la AE lb }@® 


(4, Inv-#,Inv-Valin§|4~4l) 


6.{T} memFact : u {vab.(C AE la AE lb )}@® 


(1,2,4, LetRefin§ 6.1 1 


7 .m»()=u{vab.(Co AE\ a AE\ b )} D m»()=w{Facf(w)} 


(*) 


8.{T} memFact : M {Facf(w)}@0 


(6,7,ConsEval) 



Line 4 uses the axiom {C}f»x=y{Ci AC2}@w D A;=i i{C}f»x = y{Q}@vv (in 10). Line 7 uses 
(AIH). 

6.4. Information Hiding (2): Stored Circular Procedures. We next consider stored higher order 
functions which mimic stored procedures. 

We start with a simple one, circFact from ll25ll . which uses a self-recursive higher-order local 
store. 

circFact = x := Xz. if z = then 1 else z X — 1) 

safeFact == let x = xef(ky.y) in (circFact; Ix) 
In |[25l . we have derived the following judgement. 

{TjcircFact : u {CircFact(u,x)}@x (6.1) 

where 

def 

CircFact (u,x) = D\/n.{lx = u}lx»n = z{z = n\A\x = u}@% A \x = u 

which says: 

After executing the program, x stores a procedure which would calculate a factorial 
ifx stores that behaviour, and that x does store the behaviour. 
We now show safeFact named u satisfies Fact{u). Below we use: 

def _ 

CF a = n\fn.{\x = u}\x»n = z{\x = u}@% 

def _ 

CF h = U\/n.{\x = u}\x»n = z{z = n\}@% 
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= T and x#n = T by Proposition 5.9 (2)-l). 
L{T}Xy.y : m {T}@0 


2.{T}circFact ; \x : u {CircFact(u,x)}@x 


3.{T}circFact; \x: u {\x = u A CF a A CF b }@x 


(2, Conseq) 


4.{;c#/}circFact; \x : u {x#iA \x = uf\ CF a A CFb} @x 


(3, Inv-#) 


5.{T}safeFact : u {vjc.(C ACF a ACF b )}@® 


(4, LetRef) 


6.m»()=u{vx. (Co A CF a A CF b ) } D m»()=u{Fact(u)} 


(*) 


7.{T}saf eFact :„ {Fact(u)}@® (5, ( 


5, ConsEval) 



Line 1 is immediate. Line 2 is (6.1). Line 6, (*) is by (AIH), Proposition 



def def def 

x#i A \x = u, C = E = J and C = y = x\. 



5.15 



setting Co 



def 



6.5. Mutually Recursive Stored Functions. Now we investigate the program from (1.6) in the 
introduction. The reasoning easily extends to programs which use multiple locally stored, and 
mutually recursive, procedures. 

We first verify the following mutualParity (the let-body). 



def 

mutualParity = x := Xn.if n = then f else not((!y)(«— 1)); 



(6.2) 



y := Xn.if n = then t else not((bc)(n— 1)) 
Then we have: 

{TjmutualParity : u {3gh.IsOddEven(gh,\x\y,xy,n)} (6.3) 
where, with Even(n) = 3x.(n=2 x x) and Odd(n) = Even(n+\): 

def 

IsOddEven(gh,wu,xy,n) = (IsOdd(w,gh,n,xy) A IsEven(u,gh,n,xy) A \x = g A \y = h) 

def 

IsOdd(u,gh,n,xy) = D{\x = g A \y = h}u •n = z{z = Odd{n) A\x = g A\y = h}@xy 

def 

IsEven(u,gh,n,xy) = H{\x = g A \y = h}u»n = z{z = Even{n) A \x = g A \y = h}@xy 



The detailed derivations are given in Appendix D.l Above IsOdd(u,gh,n,xy) says that 

\x and \y remain unchanged, and that u checks if its argument is odd. 

Similarly for IsEven(u,gh,n,xy). Then above IsOddEven(gh,wu,xy,n) says that 

x stores a procedure which checks if its argument is odd if y stores a procedure 
which does the dual, and x does store the behaviour; and dually for y. 

Note that Is Odd and Is Even, the effect set is xy since x and y are free and assigned to the abstractions 

in mutualParity. 

Our aim is to derive the judgement for saf eEven given below: 

def 

saf eEven = let x = ref(Xn.t), y = ref(Xn.t) in (mutualParity; !y) (6-4) 



We start from ( |6.3[ ) (the case for saf eOdd is symmetric). 

{T}saf eEven ; u {\/n.U\u»n = z{z = Even(n)}@d)} 
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We first identify the local invariant: 

def 

Co = \x = g A ly = h A IsEven(h,gh,n,xy) A xy#ijn A gh^->° xy 

Note we have a free variable h. Since Co only talks about g, h and the content of x and y, we know 
!x = ^A \y = h A IsEven(h,gh,n,xy) is stateless exceptx,y; andxy#n = xy#z = T by Proposition 



521(2)- 1. 

Let us define: 



def _ 

ValEven(u) = Win.{T}u •n=z{z = Even(n)}@% 

def 

Even a = n\/n.{Co}u»n=z{Q)}@xy 

def 

Event, = n\/n.{Co}u»n = z{z = Even(n)}@xy 



The derivation is given as follows. 
l.{T}Xn.t: m {T}@0 



2. {T}mutualParity ; \y: u {3gh.IsOddEven(gh,gu,xy,n)}@xy 

3. {T}mutualParity ; \y : u {3gh.(lx = gA\y = h AIsOdd(g,gh,n,xy) AEven a A Even b )}@xy 

4. {xy#/j}mutualParity ; ly : u {3gh.(Co A Even a A Everib)}@xy 

5. {T}saf eEven : u {vxy.3gh.(C A Even a A Even h )}@% 

6. {J}m»()=u{vxy3gh.(C A Even a AEven b )} D {J}m»{)=u{ValEven{u)} (by (AIH)) 

7. {T}safeEven : u {ValEven(u)}@® 

As we can see, the derivation follows the same pattern as that of memoFact and saf eFact. 

6.6. Higher-Order Invariant. We move to a program (from |59l p. 104]) whose invariant be- 
haviour depends on another function. The program instruments a program with simple profiling, 
counting the number of invocations. 

def 

profile = let x = ref (0) in *ky.{x : = \x+ l;fy) 

Since x is never exposed, this program should behave precisely as /. Thus our aim is to derive: 

{nVy.{C}f»y = z{C}@w} profile :„ {□ Vy.{C}w • y = z{C}@w} (6.5) 

withx fv(C,C') (by the bound name condition) and arbitrary anti-monotonic C and monotonic C'. 
This judgement says: 

def 

iff satisfies the specification E = □Vy.{C}/« y = z{C }@w, then profile satis- 
fies the same specification E. 



To derive (6.5 1, we first set Co, the invariant, to be x#fiyw. 

As with the previous derivations, we use two subderivations. 
First we derive: 

def 

E = n\Vy.{C}f»y = z{C'}@w 

def _ 

D E = □Vy/.jC A x#fiyw}f»y=z{C'}@wx Axiom (e8) in (25 

def _ 

D Ex = □Vyi.{C A x#fiyw}f»y = z{C A x#zfiyw}@wx Axiom (e8) in (25 
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where Axiom (e8) in E5l is given as: 

(C D Co A {C }x*y=z{C } A C' DC) D {C}x»y = z{C} 
we use the first axiom in Proposition |5.3| (l). We also let 

def , 



E 2 = a\/yi.{[\x]C A C }f»y=z{C A C }@wx 



The inference follows. 



l.{T}x:=!x+l{T}@x 


(Assign) 


2.{[\x]C AE Axttfiyw} x : = \x+ 1 {C AE Ax#fiyw}@x 


(Inv-#, Conseq) 


3.{CAEAC }fy: z {C AC Q }@wx 


(App, Conseq) 


4.{[\x]CAEAC }x:=x+l;fy : z {C AC }@xw 


(2, 3, Seq) 


5.{E}Xy.(x:=x+l;fy) : u {£ 2 }@0 


(4, Abs, Inv) 


6.{E}Xy.{x:=x+l;fy) : u {lnv( M ,C o ,x)}@0 


(Similar to 1-5 from E 2 ) 


7.{£ , }profile{vx.(lnv(w,C ,x) A E 2 )}@% 


(5,6, LetRefin§ 6.1 1 


8.m» () = u{vx.(\nv(u,Co,x) A E 2 )} D m» () = u{E} 


(*) 


9.{£}profile :„ {E}@% 


(7, 8, ConsEval) 



Above in Line 2, we note E is tame (because of □) and equivalent to [lx]E, hence [Inv] becomes 



applicable. Line 8 is inferred by Proposition 5.15 



6.7. Nested Local Invariant from [34,27]. The next example uses a function with local state as 

def 

an argument to another function. Let Q. = fjtfX{). (/()). Below even{n) tests for evenness of n. 

def 

MeyerSieber = let x = ref (0) in let / = X().x :=\x + 2 

in (gf ; if even{\x) then () else 

Note Q.Q immediately diverges. Since x is local, and because g will have no way to access x except 
by calling /, the local invariant that x stores an even number is maintained. Hence MeyerSieber 
satisfies the judgement: 

{E A C} MeyerSieber {C'} (6.6) 

where, withx,m fv(C,C'): 

E = f V/.(D/.(){T}@0 d n{C}g.f{C}) 
(anchors of type Unit are omitted following Notation|TTj6)). The judgement ( |6.6| ) says that: 

if feeding g with a total and effect-free f always satisfies {C}g»f{C}, then MeyerSieber 

starting from C also terminates with the final state C'. 
Note such / behaves as skip. 



For the derivation of (6.6 1, from the axiom for reachability in Proposition 5.17 we can derive 
E D E' where 

def 

£' = V/.(n/«(){T}@* D □{[!x]CAx#g}g./{[!x]C'}) 
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Further A-Q.X :=!x + 2 named / satisfies both: 

def def 

Ay = □ {T}/.(){T}@x and A 2 = D{Even(\x)}f • (){Even(\x)}@x 

def 

ThenfromAi and £", we ob tain A\ = D{[!x]C Ax#g}g»f{[\x]C}. 



Using Proposition 5.17 A[ and A2 we obtain 



{Even{\x) A [\x)C AE Ax#gi}M{[\x)C' Ax#i} 



def 

withM = let / = XQjc :=!x + 2 in (gf ; if even(\x) then () else HQ). 

We then apply a variant of [LetRef] (replacing Co[\x/m] in the premise of [LetRef\ in §4.2 with 
[!x]CbA Ix = m) to obtain 

{E AC} MeyerSieber {vx.([!x]C ; Ai#i)} 
Finally by Proposition 5.16| (noting the returned value has a base type, cf. Proposition 5.9 2-(l)), we 



reach {E A C} MeyerSieber {C}. The full derivation is given in Appendix D.2 



6.8. Information Hiding (5): Object. As final example, we treat information hiding for a program 
with state, a small object encoded in imperative higher-order functions, taken from ll27ll (cf. irT0ll46l 
47 ]). The following program generates a simple object each time it is invoked. 

(let Xo,i = ref (z) in let y = ref (0) in 
/ ^()-if even(ly) then \xo else bci, 
y fav.(y :=\y+l ; xo,i := w) 

The object has a getter and a setter method. Instead of having one local variable, it uses two with 
the same content, of which one is read at each odd-turn of the "read" requests, another at each 
even-turn. When writing, it writes the same value to both. Since having two variables in this way 
does not differ from having only one observationally, we expect the following judgement to hold 
cellGen: 

{T} cellGen :„ {CellGen(u)} (6.7) 

where we set: 

def 

CellGen(u) = □Vzi.a«z = o{vx.(Cell(o,x)/\\x = z A o#i A x = o)}@% 

def _ _ 

Cell(o,x) = □Vv.{U = v}tci(o)«Q = z.{z. = v A \x= v}@0 AnVw.7i 2 (o) • w{\x = w}@x 

Cell(o,x) says that Jti(o), the getter of o, returns the content of a local variable x; and 712(0), the 
setter of o, writes the received value to x. Then CellGen(u) says that, when u is invoked with a value, 
say z, an object is returned with its initial fresh local state initialised to z. Note both specifications 



only mention a single local variable. A straightforward derivation of (6.7 1 uses !xq =!xi as the 



invariant to erase xi: then we a-converts xq to x to obtain the required assertion Cell(o,x). See 



Appendix |D. 3 for full inferences. 
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7. Extension, Related Work and Future Topics 

For lack of space, detailed comparisons with existing program logics and reasoning methods, in 
particular with Clarke's impossibility result, Spatial Logic iPTTTl (which contain a hiding quantifier 
used in a concurrency setting), as well as other logics such as LCF, Dynamic logic, higher-order 
logic and specification logic are left to our past papers (6j|22j|24l|25l. Below we focus on directly 
related work that treats locality and freshness in higher-order languages. 



7.1. Three Completeness Results. We discuss completeness properties of the proposed logic. A 
strong completeness property called descriptive completeness is studied in [23]. Descriptive com- 
pleteness means that characteristic assertions are provable for each program (i.e. an assertion char- 
acterising a program's behaviour uniquely up to observational congruence). We have shown ll23ll 
that this property implies two other completeness properties in our base logic, relative complete- 
ness (which says that provability and validity of judgements coincide, i.e. completeness relative to 
an oracle which can decide the validity of formulae in the assertion language) and observational 
completeness (which says that validity precisely characterises the standard contextual equivalence). 

For lack of space, we only state the latter, which we regard as a basic semantic property of the 
logic. 

Write = for the standard contextual congruence for programs [46]; further write M\ =£ M 2 to 
mean (|= {C}Mj :„ {C} iff |= {C}M 2 : u {C}). We have: 

Theorem 7.1 (observational completeness). For each I"; A h M; : a (i = 1,2), we have M\ =£ M 2 
iffM l ^M 2 . 

The proofs of descriptive, observational and relative completeness follow [23] and are detailed in 
0. 



7.2. Local Variables in Hoare Logic. To our knowledge, Hoare and Wirth [ 19] are the first to 
present a rule for local variable declaration. In our notation, their rule is written as follows. 

[Hoare-Wirth] {C A * ^ }P{C ' } '*MQu{y} 
1 1 {C[e/\x}} new x:=einP {C} 

Because this rule assumes references are never exported beyond their original scope, there is no 
need to have x in C' . Since aliasing is not permitted in [19] either, we can also dispense with x^y 
in the premise. [LetRef\ in § 6.2 differs from [Hoare-Wirth] in that the former can treat aliased 
references, higher-order procedures and new references generation extruded beyond their original 



scope. [Hoare-Wirth] is derivable from [LetRef], [Assign] and v-elimination in Prop. 5.16 



Among the studies of verification methods for ML-like languages El[38l, Extended ML ll57l is 
a formal development framework for Standard ML. A specification is given by combining module 
signatures and algebraic axioms. Correctness of an implementation w.r.t. a specification is verified 
by incremental syntactic transformations. Larch/ML lloTI is a design proposal of a Larch-based 
interface language for ML. Integration of typing and interface specification is the main focus of the 
proposal in joTl . These two works do not (aim to) offer a program logic with compositional proof 
rules; nor do either of these works treat specifications for functions with dynamically generated 
references. 



7.3. Related Work and Future Topics. 
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Reasoning Principles for Functions with Local State. There is a long tradition of studying equiv- 
alences over higher-order programs with local state. Meyer and Sieber [ 34 ] present examples and 
reasoning principles based on denotational semantics. Mason, Talcott and others |[26l I3T1 l32l in- 
vestigate equational axioms for an untyped version of the language treated in the present paper, 
including local invariance. Pitts and Stark [48j|49j[59l present powerful operational reasoning prin- 
ciples for the same ML-fragment considered here, including reasoning principle for local invariance 
at higher-order types ||4"9l . Our axioms for information hiding in §[5j which capture a basic pattern 
of programming with local state, are closely related with these reasoning principles. Our logic dif- 
fers in that its aim is to offer a method for describing and validating properties of programs beyond 



program equivalence. Equational and logical approaches are complimentary: Theorem 7. 1 offers a 
basis for integration. For example, we may consider deriving a property of the optimised version M' 
of M: if we can easily verify {C}M : u {C'} and if we know M = M', we can conclude {C}M' : u {C'}, 
which is useful if M is better structured than M'. 



Separation Logic. The approach by Reynolds et al. [56] represents fresh data generation by relative 
spatial disjointness from the original datum, using a sub-structural separating conjunction. This 
method captures a significant part of program properties. The proposed logic represents freshness 
as temporal disjointness through generic (un)reachability from arbitrary data in the initial state. 
The presented approach enables uniform treatment of known data types in verification, including 
product, sum, reference, closure, etc., through the use of anchors, which matches the observational 
semantics precisely: we have examined this point through several examples, including objects from 
ETl . circular lists from [29], and tree-, dag- and graph-copy from [9j. These results will be reported 
in future expositions. Reynolds [56] criticises the use of reachability for describing data structures, 
taking in-place reversal of a linear list as an example. Following § [6] tractable reasoning is possible 
for such examples using reachability combined with [Inv] and located assertions, see ll62l . 

Birkedal et al. [8] present a "separation logic typing" for a variant of Idealised Algol where 
types are constructed from formulae of disjunction-free separation logic. The typing system uses 
subtyping calculated via categorical semantics, the focus of their study. The work [7 ] extends sepa- 
ration logic with higher-order predicates (higher-order frame rule), and demonstrates how the exten- 
sion helps modular reasoning about priority queues. Both works consider neither exportable fresh 
reference generation nor higher-order/stored procedures in full generality, so it would be difficult to 
represent assertions and validate the examples in § [6] Examining the use of higher-order predicate 
abstraction in the present logic is an interesting future topic. 



Other Hoare Logics. Names have been used in Hoare logic since early work by Kowaltowski E81 . 
and are found in the work by von Oheimb ll60l . Leavens and Baker ll30ll and Abadi and Leino 0, 
for treating parameter passing and return values. These works do not treat higher-order procedures 
and data types, which are uniformly captured in the present logic along with parameters and return 
values through the use of names. This generality comes from the fact that a large class of program 
behaviour is faithfully represented as name passing processes which interact at names: our assertion 
language offers a concise way to describe such interactive behaviour in a logical framework. 

Nanevski et al. Il42l|43l study Hoare Type Theory (HTT) which combines dependent types and 
Hoare triples with anchors based on a monadic understanding of computation. HTT aims to pro- 
vide an effective general framework which unifies standard static checking techniques with logical 
verification. Their system emphasises the clean separation between static validation and assertions. 
In their later work [42], the integration of programs and specifications in HTT is further pursued 
by introducing local state. Because of their basis in type theory, one interesting aspect is that their 
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"Hoare Triple" of the form "{P}x : A{Q}" is in fact a type and that A can contain an arbitrary com- 
plex specification. Note that the use of type theory does prohibit potentially useful assertions about 
circular data structures and references (this is called a "smallness" condition). The use of monad in 
their logic poses a question whether if we equip the underlying programming language with monad 
what reasoning principles we may obtain as a refinement of the present program logic. 

Reus and Streicher [54] present a Hoare logic for a simple language with higher-order stored 
procedures, extended in 11531 . with primitives for the dynamic allocation and de-allocation of ref- 
erences. Soundness is proved with denotational methods, but completeness is not proved. Their 
assertions contain quoted programs, which is necessary to handle recursion via stored functions. 
Their language does not allow procedure parameters and general reference creation. 

No work mentioned in this section studies local invariance in the context of program logics. 

Dynamic and Evaluation Logics. Dynamic Logic lTl6l . introduced by Pratt ll52l and studied by 
Harel and others ifTSl . uses programs and predicates on them as part of formulae, facilitating detailed 
specification of various programs properties such as (non-)termination, or more intensional features. 
As far as we know, higher-order procedures and local state have not been treated in Dynamic Logic, 
even though we believe part of the proposed method to treat higher-order functions would work 
consistently in their framework. 

Evaluation Logic, introduced by Pitts 11501 and studied by Moggi ||39l |40l , is a typed logic 
for higher-order programs based on the metalanguage for computational monads which permits 
statements about the evaluation of programs to values using evaluation modalities. Recently Mossa- 
kowski et. al [41] studied a generic framework for reasoning about purity [44] and effects based 
on a monad-based dynamic logic which is similar to Evaluation Logic. Evaluation logic is closely 
related to the present logic in that it is based on the decomposition of semantic points into values 
and computation and that it captures applications as part of the logic even though the approach of 
Evaluation Logic is based on denotations. Evaluation Logic has uniformity in that it does not use 
separate judgements such as Hoare triples. Evaluation Logic also includes expressions involving 
applications as part of terms. Thus its assertion language already includes judgements for programs. 

The logic studied in the present paper distinguishes formulae for evaluation in the logical 
language (evaluation formulae) from judgements for programs (pre/post conditions together with 
an anchor). This is motivated by our wish to have the assertion language separate (independent) 
from programs, which we believe to fit such engineering purposes as design-by-contract (where one 
wishes to have abstract description of behaviour before we construct programs). This aspect of the 
present logic is closely related with its compositionality: we wish to build assertions for a program 
from those for its subprograms, and if one of its subprograms, say M, allows the same assertion as 
another program, say M' , then we can replace M by M' and still obtain the same assertion for the 
whole program. Separating the assertion language from programs is also vital for verification of 
multi-language programs. We believe that it is a meaningful topic to explore a uniform treatment of 
both assertions for evaluations and judgements for programs, while keeping the key features of the 
present logic. 

Meta-Logical Study on Freshness. Freshness of names has recently been studied from the view- 
point of formalising binding relations in programming languages and computational calculi. Pitts 
and Gabbay |[T2l ISTIl extend first-order logic with constructs to reason about freshness of names 
based on the theory of permutations. The key syntactic additions are the (inter-definable) "fresh" 
quantifier Mnd the freshness predicate #, mediated by a swapping (finite permutation) predicate. 
Miller and Tiu [35 ] are motivated by the significance of generic (or eigen-) variables and quantifiers 
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at the level of both formulae and sequents, and split universal quantification in two, introduce a self- 
dual freshness quantifier V and develop the corresponding sequent calculus of Generic Judgements. 
While these logics are not program logics, their logical machinery may well be usable in the present 



context. As noted in Proposition 5.12 reasoning about > or # is tantamount to reasoning about >, 
which denotes the support (the semantic notion of freely occurring locations) of a datum/program. 
A characterisation of support by the swapping operation may lead to deeper understanding of reach- 
ability axiomatisations. 
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Appendix A. Typing Rules 

The typing rules are standard B51 , and listed in Figure [2] for reference (we list only two first- 
order operations). We take the equi-isomorphic approach [46] for recursive types. In the first rule 
of Figure [2J c c indicates a constant c has a base type C. 

We also list the typing rules for terms and formulae in Figure [3] 
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W r,i:ahi:a [Label] p , / ■ a |_ / ■ a [Constant] 

n-Mi, 2 : Nat , , rhMi <2 : Nat 
[Aaaj r h Mi . Nat [zq\ r \-M l =M 2 : Bool 

r ^ T h Af : Bool rhAf, :a, (/=l,2) 
l#J p h if M then N\ else AT 2 : a 

r.,! r,i:ahM:P r . ,rhM:a^P rhJV:q 

r , r,x:a^phX>- a .M:a^p , , rhM:q q^p 
1 J rh^Ay a M:a^P 1 1 Th A/ : p 

rhA^Ref(^ rhM:Ref(a) rhA/:q 

l Wgre /J rh!M:a l™"S B J rh A/:=JV: Unit 

fefl rhV:a rVari rhM:a r,x:Ref(a)hjV:p 

[KeJl r h ref (V) : Ref (a) [neWl T h new x := M in N : p 

r h Af : a,- [r i n-M:ai+a 2 r : a,- h : P 

T h in,(M) : ai+a 2 [L J r h case M of {in,-^') JVi} ie{li2} : P 

L J rh (A/i,A/ 2 ) : aixa 2 L ^ rh 7C,-(Af) : a,- (i = 1,2) 
Figure 2: Typing Rules 



- - - - The: Bool 

rhx:T(x) Thn:Nat rht,f : Bool r h / : T(/) rh^e:Bool 

The,-: q, T h g : q, r h e : Ref (q) 

rh(ei, e 2 ):aixa 2 rh inj°" +a2 (e) : ai + a 2 THe:a 

The,-: a,- ThC rhC L2 c r A v D i r-x:qhC n c ry 3 i 

rh ei =e 2 rh-c rhCi*c 2 iA ' v ' D| rhQx a .c 

r-x:Ref(q)hC n _ , , ThC nc/wm r h e : Ref (a) ThC r h e : Ref (a) ThC 

rhQx.C ue i v > v ) rhQX.C Ue i V ' d i rh[!e]C rh (JejC 

rhei:a=»p rhe 2 :q T-z:phC ThC ThC 
rhei.e 2 = z{C} ThDC rh<>c 

rhe:q The 7 : Ref (p) The: Ref (a) T h e ; : p 



Figure 3: Typing rules for terms and formulae 
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[Var] {C[x/u]}x :„ {C}@0 [C ° mt] {C[c/u]} c :„ {C}@0 

u , « {C}M 1 : m {C }@ei {C Q }M 2 :,„ 2 {C'[m 1 +m 2 /u}}@e 2 
1 J {C}M!+M 2 :„ {C'}@eie 2 

[WlJ {C} in j {C}@« 

rc , {C*} M : w {C^}@g! {C [inj,-(x,-)/m]}Af,- :„ {C'-*}@e 2 
1 J {C} case M of {in^.M;},^^ :„ {C'}@eie 2 

, , {C}M: m {C'[7Ei(m)/ M ]}@g 
™ J {C} 7ti(M) :„ {C'}@e 

, {C}Mi : W1 {C }@ei {C }M 2 : M2 {C'[(m h m 2 } /u]}@e 2 
[ 1 {C}(M 1; M 2 ) :„ {C}@«ie 2 

fAfa1 {CAAiM:„{C}@ e - , , {A -JC } A,y.M : u {B}@e 

1 ° SJ {A} Xx.M :„ {□Vx/.({C}«.x = m{C'})}@0 [ J {A"*} jjx.Xy.M :„ {B[«/xj}@« 



[//] 



r . , {C}M: m {C Q }@e {C Q }N:„ {mmn = n{C / }e 2 }@ei 
™ {C}MAT:„ {C}@eeih. 

{C} M : b {C }@ei {C [t/fc]> Aft :„ {C}@g 2 {C [f/fc]> M 2 : H {C'}@g 2 
{C} if M then Mi else M 2 :„ {C'}@eie 2 

r fl {C}M: m {C'[!m/ M ]}@e 
[Ueren {C} \M: U {C'}@e 

{C}M: m {C }@ei {Cp} jV :„ {C^w/ !m^}@g 2 Cp D m = e' 
{C}M:=N {C'}@eie 2 e' 

lReA {C}M: m {C'}@e 

L J {C}ref(M) :„ {vx.(C'[!u/m] Au#i X Au = x)}@e 



[Assign] 



We require C is thin w.r.t. m in [Case] and [Deref], and C" is thin with respect to m, n in [A/?/?, 

Assign]. 

Figure 4: Derived Compositional Rules for Located Assertions 



Appendix B. Proof Rules 
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[Inv-#] 



{C}M: m {C'}@w 
L 1 {CA [\w]C } M : m {C A [\w]C }@w 

[mV m {CACo}V: m {C'AC Q }@& 

{C} M : m {C'}@x no dereference occurs in e 
{CAx#e}M: m {C 1 Ax#e}@x 



, } CD Co {C }M: u {C' }@e C q dC 
[COml {C}M: u {C'}@e 

{Co} M : m {C' }@e x fresh; /auxiliary 
V/.{Cq}x. Q=m{C } D Vi.{C}x*Q=m{C} 
\- Cons - tval \ {C}M: m {C'}@e 

r ] {CAA}V: u {C'}@d f i {C}M: u {ADC'}@e 
1 J {C}V :„{ADC'}@0 [ 1 {CAA}M: u {C'}@e 

r , {Ci} M : u {C}@e {C 2 } M : u {C}@e , , {C} M :„ {fl}@g {C} M : M {C 2 }@g 
1 J {C l VC 2 }M: u {C}@e [A ™ J {C}M :„ {d AC 2 }@e 

lAux i {C}M: u {C l }@~e 
[AUX3i {3i.C}M: u {C'}@e 

\AuxuV] {C' l }V-u{C'}@~e f , , {C-'} M g is of a base type. 

[AUXtyV j {c} - - {y . a c , }@ „ [AMXyj {c} M - {v . a c , }@ „ 

{C(/«)}M:„{C'(/»)}@g a atomic Vc". {C(c")} M :„ {C(c«)}@e 

[A«x M . rt j { C (z a )}M: u {C'(c a )}@e ' [AUXabsti {C(i a )} M : u {C'(i a )}@e 

\Weak] {C} M --m{C'}@~e lThinnine] {CAle' = i} M : m {C Ale' = i}@ee> i fresh 
[Weakl {C} M :,„ {C'}@ee' l inmmn 8i { C } M :,„ {C}@e 

Figure 5: Structural Rules for Located Judgements. 



B.l. Proofs of Soundness. We prove the soundness theorem. We use the following lemma. 

Lemma B.l (Substitution and Thinning). 

(1) JA\= C Au = V iffJfi\u : V] \=C. 

(2) Suppose m,m\,m2 fv(M,C) U {m, v}. Then: 

(a) 7/(v/)M[m :V][u: inj,-(m)] |= C, then (vZ)M[n : inj^V)] |= C. 

(b) 7/(v/)M[m : : Jli(m)] |= C, then (vl)M[u : %i(V)\ |= C. 

(c) 7/(v/)M[mi : Vi][m 2 : V 2 ][" : (mi, m 2 >] (= C, tfien (vZ~)M[m : (Vi, V 2 )] |= C. 

(d) Sw/?/?c«e Z fl(M). Then (vll)M[m : /] [u : V] [I ^ V] \= C implies (vZ~)M[w :V]^C 

(e) Suppose I ^fl(M) and fv(V) Ufl(V) = 0. Then (vl)M[m : l][l ^ V] (= C implies M\=C. 

(f) Swppose Z f I (M) and fv(V)Ufl(V) = 0. TTzen M[m : Z] [Z ^ V] |= C im/?Ziej M |= C. 

(3) M|=3m.«bc)(CA!jc = m)Am = e)ijg r M[jci-^[«]]^ ] (=C 
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r , {C} M : m {C }@gi {C [!x/m} f\x#e} N :„ {C}@e 2 x 
[ J {C}letx = ref(M) InN : u {\x.C'}@e\e 2 



x fpn(e) 



[Rec] 



{A' xi A Vj < LB(j)[x/ U }} Xy.M : u {B(i)- X }@e 
{A} /jx.Xy.M : u {Vi.B(i)}@e 



r, , {C} M : x {Cp} @e {Cp} N : u {C} @~e' u rt() , {C} M : x {vy.C }@ e ~, {C Q } N : u {C}@e 2 
11 {C}\etx=M±TLN: u {C'}@ee' \-^iup<m\ {C} let x — M inN : u {\y.C'}@e\e2 



[Simple] i r i / i v— . JrX(S .~ [IfH] 



{CAe}M l {C'}@e {CA^e}M 2 {C}@e 



{C[e/u]}e: u {C}@e u J {C} if e then M x else M 2 {C'}@e 

r AnnS] CD {C}e.( ei ..e n )=u{C'}@e' {C} M : u {C}@e> ^fpn(e) 

[APP ^ {C}e{e x ..e n ): u {C'}@§' LW {C[e/i}} M : u {C'[e/i]}@e' 

r „ , {C} M {C }@g {Co} AT {C}@g' [y , {CQMjCi}®^ {C 2 }jV{C 2 }@e 2 
1 ?J {C}M;JV {C'}@ee' 1 q J {Q A [!e~i]C 2 } M;JV {C 2 A (le 2 )C[}@e l e 2 

C' is thin w.r.t. m in [Afew and x in {Let, LetOpen]. C\ and C 2 are tame in [Seg-/m>]. 
Figure 6: Other Located Proof Rules. 



Proof. For (1), we derive: 

M^CAu = V = M^CAM^m = V 
= MKaM[«:V]k1 
= M[u : V] \= C 

(2) is mechanical by induction on C. We only show some interesting cases. Others are similar. For 
(2-a), let Mi = (v/~)M[m : V][u : inj,.(m)] and M 2 = (v/~)M[w : inj f (V)]. 

Assume C = e\ = e 2 . Then, with w fresh and m fv(ei , e 2 ), we have Mi [w : ei] as Mi [w : e 2 ] 
iff M 2 [w : ei] Ri M 2 [w : e 2 ]. Hence Mi \=e\=e 2 iff M 2 |= ei = e 2 . 
Assume C = Vx.C'. Then we have: 

Mi |= Vx.C = VL G ?.Mi [x : L] |= C 

= VL' G 3\M 2 [x : U] \= C such that m £ fv (Z/ ) 
= M 2 ^Vx.C 

Assume C = vx.C". Then we have: 

Mi\=Vx.C = 3M .(Mi ss (v/)M AMo[x: I] \=C) 

= 3M^.(M 2 « (v/)M[, AM' [x : Z] |= C) such that M[, = M /m[V/m] 
= M 2 j=Vx.C 

Assume C = x • 3? = z{C'}. Then we derive: 

Mi ^x»y = z,{C'} = 3M' l .{M l [z:xy]^M' l AM[ \=C) 

with M'j = (v/)M'[m : V][« : inj f (m)] 

= 3M 2 .(M 2 [z:x;y]4M 2 AM 2 ^C') 

with M' 2 = (v/)M> : inj f (V)] and (IH) 

= M 2 ^x*y = z{C'} 

Others (b-f) are similar. (3) is from (SJ. □ 
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Below we write: 



We start with [Var]. 



M JJ. M' |= C for M JJ. M' A M' |= C 



M\=C[x/u] =>- M\=CAu = x 

=>• M[u:x]\=C Lemma |B~T1;i) 

Similarly for [Const] using Lemma |B~T{ l). Next, [Add] is proved as follows: 

M^C => M[mi :Mi] J| Mi |= C IH 

Mi [m 2 :M 2 ] J|M 2 ^C'[m l +m 2 /u] IH 

=> M[m Y -.M{\[m 2 \M2}[u\m l +m 2 } JJ M' \=C 

M[m:Mi +M 2 ] JJ M!/mim 2 \= C Proposition |3T3l([T) 



[Injy] is proved as: 
M\=C => 



M[m:M] JJ (v/)M'[m : V] \= C , [inj 1 (jn)/n] IH 

M[m:M][B:inj 1 (m)]JJ.(vZ)M'[i»:V][":iaji(^)] H c ' Lemmapltl) 
(v/)M'[m: iaji(V)] H c ' 
Mfwiinj^M)] |=C 



Lemma [B.l[2-a) 



[Pro/] and [Pa/r] are similarly proved using Lemma B.l 2-b,c) respectively. 
For [Case] , we reason: 

M |= C M[m:M] JJ. (vf )M [m : inj ; -(V)] |= C 

if M = (v/)&o), (vf)(M^,a) J| (vf)(inj ! .(y),a'), and M = (£,a') 

(vf)M [m:inj ( .(V)] |= C Am = inj,-(j«) 

(v/OMotm^nj^xOlIwrM,-] JJ, (vZ 7 ')M'[m:inj i .(y)][j<:W] |=C' 

=> (vi")M'[K:W]K' 

The last line is by the thinness of C with respect to m. 

Now we reason for [Abs]. We note, if A is stateless (cf. Definition 3.14i and M |= A, then: 
M[u :M] JJ- M' with u fresh implies M' |= A. 

M|=AD M[m : hc.M] \= U\lxi.{C}u»x = m{C'} 
= M\=ADM[u:hc.M)[x:N x )[i:N)[k:N) JJM' A M M'/jct A M' |= {C}w»x = m{C'} 

= M|=Ad ((M[k : Ajc.M] [jc : A^] p] [it : N] JJ M' A M « M'/jcj A M' |= C) 

D M'[/ra : ice] JJ- M" A M" \= C) 

= AD ((M[u:hc.M][x:N x ][i:N][k:N] ii-M' A M ks M'/xi A M'^CAA) 

D M![m : ux] JJ. M" A M" |= C) 

C M,' \= A AC D (M'[m:M] JJ- M" AM" |= C') 
[A/?/?] is reasoned as follows. Below & fresh. 

M^C M[m:M] JJ-Mo h c o 

=> M[n:AT] JJ-Mi (= Ci Am.« = «{C'} 
M[m :M] [n :iV] [m : mn] JJ M' ^ C' 
M[/n:M][n:iV][ii:MiV] JJ-M' |= C 
=> M[« : MAT] JJ M'/mn N C 
The last line is derived by the thinness of C with respect to m,n. 
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For [Deref], we infer: 



M^C M[m;M] ij-M' \=C'[\m/u] 

=> M[m:!M]|l7ra^C' 



For [Assign] Assume u is fresh. 

M\=C => 



M[m:M]^M ^Co 

M [n:JV]^M' \=C'^n/lm} 

M' [mhb]^ M" h c ' Lemma |B~Tt3) 

M[«:M:=AT] 4M'7m«[ M :()] |= C' A u 







For [Rec-Ren] , 



M |=A 



M[f 
M[f 
M[u 
M[u 



foc.M] \= B 

fif.hc.M)[u:hc.M] ^A 
Hf.fcc.M][u:vf.Xx.M] \=A 
/jf.fac.M] \= f = u D A 
fjf.Xx.M] \=A[u/f] Lemma [Bit 1) 



[#] is similar with [Ad<i] using Proposition [T] 

[/te/] appeared in the main text (the second last line uses Lemma B.l 2-d) to delete m). 
We complete all cases. 



□ 



B.2. Soundness of the Invariant Rule. Among the structural rules, we prove the soundness of the 
main invariance rule, [Inv] in Figure [5] 

LemmaB.2. Suppose C is tame and JVl\=C. Suppose M"~~>"M' andJA ~ JA./u\..u„. ThenJA' \=C. 



Proof. By mechanical induction on C noting it only contains evaluation formulae under □ . 



□ 



Lemma B.3. Suppose M |= [\w]C and C is tame. Then for each M and M' ifM\u:M\ JJ- M' and 
M[z : let jc = Iw in let v = M in vP := x] 4 M" s.f. M"/z ~ M f/ien we We M' |= C. 

Proof. For simplicity we assume w is a singleton (the general case is the same). Let M |= [\w]C 
and C be tame. Suppose JA[u :M] JJ- M' such that only the content of w is affected. We let with 
appropriate closed Vq: 

M[x :\w]\y:Tef(V )][u: let m = M in (y:=\w;w:=x;m)] J|M" M « M"/xy« (B.l) 
Hence by Lemma |B~2| we have: 

M" h M c (B-2) 

Further note 

M"[w^\y]i^M m M.'&M'"/xy (B.3) 



By (B.2 1 and (B.3 1 we obtain M'" \= C. By Lemma B.2 and this, we have M' \= C, as required. □ 



We now prove: 

Proposition B.4. The following rule is sound. 

{C}M: m {C'}@w 



[Inv] 



Co is tame 



{C A [!w]C } M : m {C A [\w]C }@w 
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Proof. Assume {C} M : u {C'}@w. Then by definition, for each M such that M |= C we have: 

M[u:M]tyM' \=C (B.4) 
M[z : let x = \w in let y = ee' in w := x] 4 M" s.t. M"/z « M (B.5) 

Then: 

MhC A [\w]C 

Mh [!w][!w]C (by the axiom [!w][!w]C = [!w]C ) 
VM / ,M.((M[w :M] Jj M' A 

M[z : let x = !# in let y = ee' in w ;= x] M" « M[z : ()] DM'|= [!w]C ) 
M'|=C (( |B.4|B.5| > above) 

M'KA [!w]C 

Hence we have {C A [!w]C } M : m {C A [!w]Cq}@w, as required. □ 



B.3. Soundness of [LetOpen] and [Sm&s]. We prove soundness of [LetOpen] and [Subs] used in 
§ 6. 1 For [LetOpen] (we prove the case that y is a singleton), we derive: 

M^C M[x:M] tyM' \=vy.C Assumption 
= M[x:M]J|M / A3M .(M / «(v/)M AMohCo) 

Also we have: 

M |=Co => M[u:N]tyM^\=C Assumption 
Combining these two, we have: 

M^C => M[jc:M]^M'A3Mo.(M' « (v/)M AM [« : A^] ^ M(, AM[, |= C) 
M[m : let x = M in N] M" A M" |= C with M"/x = M' 

The last line is by thinness. 

For [Subs] (we prove the case that e is a singleton), we have: 

M^C => M[ii :Af] JJ-M'AM' 

=► VMo.(Mohi = eAMo[«:Af]|M' ^ M>i = e) (w^fpn(e)) 
=> VM .(M |= (C A i = e) AM [w : M] JJ- M' |= (C A i = e)) 



Appendix C. Soundness of the Axioms 

This appendix lists the omitted proofs from Section [5] We first prove the basic lemma and 
propositions. In § C.3 we show the axioms for the content quantifications. In § C.7 we prove 
(AIH)-axioms. 
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C.l. Proofs of Lemma 5.1 For ([T]), both directions are simultaneously established by induction 



def ~ def 

on C, proving for both C and its negation. If C is e\ = e 2 , we have, letting M = (v/)(q,a), 8 = 

[u/v;v/u] and i;' = f ^8: 

M |= e x = e 2 

=^ M[x : ei] ss M[x : e 2 ] 

=> (vf) ■ x : [[eil &o) , a) (vf) (§ • x : N] &o) , a) 

=S> (v/*)($'-x: tteiS]^), a) - id (v/) (£'■*: Mlk.a), a) (*) 

^ M8[x : ei 8 j w Mp [x : e 2 8] 

=> M8 \= (ei = e 2 )8 

def 

Above (*) used [[e/J^a) = [[^;8]](^^. Dually for its negation. The rest is easy by induction. (2i 
is by precisely the same reasoning. Q is immediate from ([T]) and ([2]). Q is similar, for which we 
again show a base case. 

DVC h «i = *2 

44> M[x : ei] « 0Vt[x : e 2 ] (By Definition) 

44> M[jc : e\] [u : e] R* M[x : e 2 ] [« : e] (congruency of «) 

44> M[u : e] [x : e\] k, M[u : e] [x : e 2 ] (By Q) 

Dually for the negation. For Q, the "only if" direction: 

M \=e\ =e 2 

44> M[u : e\\ Ri M[m : e 2 ] (By Definition) 

44> M[w : ei] [v : e 2 ] m M[u : e 2 ] [v : e 2 ] A 

M[u : e 2 ] [v : e 2 ] ~ M[h : e 2 ] [v : ei] (By (fj)) 
=>- M[m : ei][v : e 2 ] rj M[m : e 2 j[v : ei]. 

Operationally, the encoding of models simply removes all references to u,v and replaces them by 
positional information: hence all relevant difference is induced, if ever, by behavioural differences 
between e\ and e 2 , which however cannot exist by assumption. The "if" direction is immediate by 
projection. 

^ is best argued using concrete models. For the former, let M = (v/)(^,a) and let t,(x) = W. 
We infer: 

M[u:x][v:e] = (v/")($-« : W-v : e%, a) 

= (yF)(£-u:W-v:(e[u/x]%o) 

For the latter, let M = (vZ)(£,a) and W = [[e]k a ( tne standard interpretation of e by i; and a). We 
then have 

M[w:e][v:e'] « (v/)(§-u : W-v : [e^, a) 

^ f (vr)(^«:W-v:[[e'[e/«]] |!a ,a) 
The last line is because the interpretation is homomorphic. □ 



C.2. Proof of Proposition 5.3 
Proposition |5.3[ 

(1) □(Ci D C 2 ) D DCi D DC 2 ; DC D C; DDC = DC; C D <>C. Hence DC D <>C. 

(2) (permutation and decomposition) 

(a) Dei = e 2 = e\ = e 2 andOei ^ e 2 = e\ ^ e 2 ifet does not contain dereference. 
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(b) D(Q AC 2 ) =DCi ADC 2 . 

(c) DCi V DC 2 D □ (Ci V C 2 ). 

(d) nvx.CDVx.nc wnvx.nc = nvx.c. 

(e) 3x.nCDD3x.C. 

(f) Dvx.C = Vx.DC; and Vx.DC D Dvx.C. 

(g) D3x.c = 3x.nc andnyx.c = \/x.nc. 

(h) □ [!x]C = [!xpC = DC arad (!x)DC = DC D □ (!x)C. 

(1) is obvious by definition. For (2-a), suppose M |= e\ = e 2 . Then by definition for all M' such 
that M', we have M'[m : ei] ~ M'[u : e 2 ]- Hence M |= De\ = e 2 , as required. Similarly for 
e\ / e 2 . For (2-b), we have: 



For (2-d(l)), we derive, with u fresh: 

M|=nvx.c 

= VM'.(M[m : N] ^ M' D VL G 3".(M'[x : L] $ M" D M" |= C)) 
=► VM ,L' G 3~,VAf.(M[x : U] [u : N[L'/x\] M D M' \= C) such that u fv(L') 
=► VM ,L' G J, VW.(M[x : L'j [u : N] $ M D M |= C) such that u £ fv(L') 
=► M|=Vx.DC 

Note that x g" fv(Af) in the second line. To derive the third line, we use the fact for all L G 5F such 
that m £ fv(L) and all JV, if M[x : L] [u : JV[L/jc]] J| M', then M[x : L] [u : N] J| M'. 

For (2-d(2)), by DC D C, we have DVx.DC D DVx.C. The other direction is proved with 
DDC = DC, as □ Vx.C = □ DVx.C D nVx.DC. 

For (f-1), we derive, with m fresh: 

M |= vx.DC 

= VM'.((v/)M' RiMD VM",W.(M'[x : Z][ M : W] 4. M" = (vf)M"'[x :l][u:V]D M" |= C)) 
= VM ,AT.(M[m : iV] ^ Mo D VM .(M ~ (v/)M D M' [x : I] |= C)) 
such that l,x£fv(N)Uf\(N) 

with M = (vf)(v/)M'> : V], M' Q = (v/)M> : V] 
= M^Dvx.C 

For (f-2), we derive, with u fresh: 

M \=vx.DC 

= 3M'.((v/)M / « M A VM".(M'[x : l][u : N] ij- M" = (v/)M'"[x : l][u : V] D M" |= C)) 
=► VM .(M[m : N] ^ M D 3M .(M ~ (v/)M AM' [x : I] \= C)) 

with Mo = (v/) (v/)M'> : V] , M = (v/)M> : V] 
= M |= Dvx.C 



M |= □ (Ci A C 2 ) = VM'.(M ~* M' D M' |= Ci A M' |= C 2 ) 
= VM'.(M^M'DM' \=Ci) (i =1,2) 
= M|=nCiADC 2 



For (2-c), we derive: 



M|=nCiVDC 2 = VM'.(M^M' DM' 
VM'.(M^M'dM' 
= M|=D(CiVC 2 ) 



\=Q) (f=lVi = 2) 

NCiVC 2 ) 
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(g) is trivial. For (h), we prove the first equation. With u fresh, we have: 

M\=D[]x]C = VN.(M[u : N] JJ. M' D VL G &.M'[x \-^L]\=C) 
VL G 3F,VW.M[w : ((x := L);N)] IM'dM'K 
= M |= [\x]DC 

M^nc 

The last line is by the axiom [lx]C D C. For other direction, with u fresh, 

M^DC = VJV.(M[«:JV]|M'DM'^C) 

=> VL G y, Vtf.(M[ii : (x := L;iV)] P'dM'NC) 

M|=[!jtpC 

= VL,L' G J, VN.(M[x ^ L] [u : (N;x := L')] P'dM'K) 
= VL' G J, VN.(M[x ^!x] [u : (iV;x := L')] IM'dM'K) 
= VL' G 3F,VW.(M[m : (N;x := L')] |M'dM'K) 
=> M^D[!x]C 

In Line 5, we use the fact !x is a functional term. In Line 6, we note that M[x i— >!je] = M. The 
equation for (!x)C is similar. This concludes the proofs. 

C.3. Axioms for Content Quantification. The axiomatisation of content quantification in [6 ] uses 
the well-known axioms ll33l §2.3] for standard quantifiers. Despite the presence of local state, most 
of the axioms stay valid. 

Proposition C.l (Axioms for Content Quantifications). Recall A denotes the stateless formula. 

(1) [\x)A=A 

(2) [lx}ly = z=x^yMy=z 

(3) [!x]([!x]C 1 DC 2 )D([!x]C 1 D[!x]C 2 ). 

(4) [!x][!x]C = [!x]C 

(5) [!x][!y]C = [!y][!x]C 

(6) [!x](C 1 AC 2 ) = [!x]C 1 A[!x]C 2 

(7) [bc]CiV[!*]C 2 D[U](CiVC 2 ) 

Proof. For (1), assume M \= OA. By definition, for all N, if M[u : N] JJ. M', then M' |= A. This 
implies: for all V and L G J, if M[u : x := V;L] Jj. M', then M' |= A, which means M |= [lx]A. Others 
are proved as in Appendix C]. □ 



C.4. Proof of Proposition 5.8 



Proposition Axioms for V, 3 and V. Below we assume there is no capture of variables in types and 
formulae. 

(1) (introduction) C D vx.C ifx G" fv(C) 

(2) (elimination) Vx.C = C ifx G" fv(C) and C is monotone. 

(3) For any C we have C D 3x.C. Given C such that x G" fv(C) and C is thin with respect to x, we 
have 3x.C D C. 

(4) Lor a«y C we Ziave Vx.C D C. For C such that x G" fv(C) anJ C w f/n'n w/?/z respect to x, we have 
C D Vx.C. 

(5) Vx.(Ci AC 2 ) D Vx.Ci Avx.C 2 . 

(6) Vx.(Ci VC 2 ) = Vx.Ci Wx.C 2 . 

(7) vy.Vx.C D Vx.vy.C 
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(8) 3x.vy.C D vy.3x.C and 3x a .vy.C = vy.3x a .C with a G {Unit, Bool, Nat}. 

(9) vy.vx.C D vx.vy.C; and vy.vx.C = vx.vy.C. 

(10) vy.Bx.C = Bx.vy.C; andvy.Vx.C D Vx.vy.C. 

(11) vy.[\x]C D [\x]vy.C andvy.(\x)C D (lx)vy.C 
(1) is by definition. For (2), we have: 

Mh-vx.C => 3M',l.((yl)M' = M A M'[x :l]\=C) 

=► 3M',/.((v/)M' = MM'|=C) Lemma [5Jld4l> 

=> (vZ)M' (= C C is monotone 

For (7), we derive: 

Mh-vy.Vx.C = 3M , VI e J.(M « (v/)M ( , A (M [jc : L] | M^D C)) 

VL G 3", 3M .(M[x : L] ps ((vZ)M ) [jc : L] A M [x : L] |= C) such that Z fl(L) 
M |= Vx.vy.C 

For (8-1), we derive: 

M^Bx.vy.C = 3LG J.(M[x:L]4M / A3Mo.(M / w(vZ)M AMo[y:Z] |=C) 
=> 3LG J,M .(Mps (M[x:L])/xps ((vZ)M )/xAM [y :Z] |=C) 
= 3L G J, M .(M « (v/)M A M [y : l][x : L] \= C) with M' = M/x 
= Mh- vy.3x.C 

Note that the other direction does not generally hold. Consider M |= vy.3x.C. This is equivalent to: 

3L G 3~,M .(M ?s (vZ)Mo A M [y : Z] [x : L] |= C) 

Since L might contain the new reference Z hidden in M, M[x : L[l/y]] is undefined (hence we cannot 
permute [y : Z] and [x : L[Z/y]]). 

For (8-2), we only have to prove vy.3x a .C D 3x a .vy.C with a G {Unit, Bool, Nat}. We derive: 

M^vy.3x.C =3DVto,c.(Mw(v/)MoAMoty:/][x:c] \=C) 

= 3c,M .(M[x : c] ps ((vZ)M )[x : c] AM [x : c]\y : 1} \=C) = M |= 3x.vy.C 

For (9-2), we have: 

Mh vx.vy.C = 3M'.(M ps(v/)M' A M'[x : Z] ^Vy.C) 

= 3M',M".(M w (vZ)M' AM'[x : Z] ps (vZ')M" AM"[y : I'] \= C) 

= 3M , ,M ,, .(Mps(vZ)M'ps(vZZ , )M ,, AM ,, [x:Z]ps(vZ , )M ,, AM ,, [y:Z / ] \=C) 

= Mh vy.vx.C 

For (11), we derive: 

MHvy.[!x]C = 3M . (M ps (vZ) M A VL G^. (M [y:Z][x^L] \=C)) 
= VLG^.3M .(Mps(vZ)M AM [y :l}[x^L] \=C)) 

such that Z,y G" fv(L) Ufl(L) 
= VLG^.3M .(M[x^L] ps (vZ)(M [x^L])AM [x^L][y :Z] |=C)) 
= M h [!x]vy.C 

The remaining claims are similar. 
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C.5. Proof of Theorem 15301 

Theorem l5.101 Suppose all reachability predicates in C are finite. Then there exists C' such that 
C = C' and no reachability predicate occurs in C'. 

As the first step, we define a simple inductive method for defining reachability from a datum of a 
finite type. 

Definition C.2. (/-step reachability) Let a be a finite type. Then the /-step reachability predicate 
reach (read: "a reference y is reachable from x in at most i-steps") is inductively 

given as follows (below we assume y is typed Ref(P), C G {Unit, Bool, Nat}, and omit types when 
evident). 

reach(x a , y, 0) = x = y 
reach(x c , y, n + 1) = F 
reach (x a ' x ai , y, n+l) = V,reach(7t i (x), y, n) V reach(x, y, n) 
reach (x ttl +0t2 , y, n+ 1) = 3x .(x = injj(x) A reach (x , y, n)) V 

3x.(x = inj 2 (x) A reach (x', y, n)) V 
reach(x, y, n) 

reach (x Ref(a ' > , y, n+l) = reach(!x, y, n) V reach(x, y, n) 

With C being a base type, reach(x c , y, 0) = x = y = F (since a reference y cannot be equal to 
a datum of a base type). 
A key lemma follows. 

Proposition C.3. If(X is finite, then the logical equivalence x a w y = 3/.reach(x a , y, i) is valid, i.e. 
is true in any model. 

Proof. For the "if" direction, we show, by induction on i, reach(x a , y, i) D x a y. For the base 
case, we have i = 0, in which case reach(x a , y, 0) Dx = yDx^>y. 

For induction, let the statement holds up to n. We only show the case of a product. Other cases 
are similar. 

reach(x aixa2 , y, n+l) =>■ V ! -reach(7l i (x), y, n) V reach(x, y, n) 

V/7l;(x) <-^y Vim^ 

But if 71 1 (x) ^-y y then x y by the definition of reachability. Similarly when 7i2(x) <^-> y, hence 
done. 

For the converse, we show the contrapositive, showing: 

M |= -n3/.reach(x a , y, i) M |= ^x a y 

If we have M. \= -i3/.reach(x a , y, i) with a finite, then the reference y is not among references 
reachable from x (if it is, then either x = y or y is the content of a reference reachable from x because 
of the finiteness of a, so that we can find some / such that M |= reach(x a , y, /)), hence done. □ 

Now let us define the predicate x a y Ref (P) with a finite, by the axioms given in Proposition 



5.9 which we reproduce below (C G {Unit, Bool, Nat}). 

X C y Ref(p) = p 

x a l+ a 2 yRe f(P) = 3x'.((Vi=l,2^ = inj;(*0j A x' ^° y) 
x Ref (a) y Rrf (p) = x = -y V !x -y 
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The inductive definition is possible due to finiteness. We now show: 

Proposition C.4. Ifaisfinite, then the logical equivalence, x a ^°;y Ref (P) = 3/.reach(^ a , y Ref (P), i), 
is valid. 

Proof, reach (x a , j Ref (P), /) 3 x a j Ref (P) is by induction on i. The converse is by induction on 
a. Both are mechanical and omitted. □ 

Corollary C.5. If a is finite, then the logical equivalence x a y Ref (P) = x a y Ref (P) is valid, i.e. 
is completely characterised by the axioms for given above. 

Proof. Immediate from Propositions C.3 and C.4| □ 



C.6. Proof of Proposition 5.14 



Proposition [57T4J For an arbitrary C, the following is valid with i, X fresh: 

□ {C Ax#fyw}f»y = z{C'}@w D □ Vx,z x .{C Ax#fiyw}f*y = z{C Ax#fiyzw}@w 

Proof. The proof traces the transition of state using the elementary fact that the set of names and 
labels in a term always gets smaller as reduction goes by. Suppose we have 

M |= □ {x#fyw A C}f»y = Z.{C} @w 
The definition of the evaluation formula says: 

(M Mo A Mo |= x#fywi A C) D 3M'.(M[z : fy] JJ. M' AM' |= C). 
We prove such M' always satisfies M' |= x#fiyzw. Assume 

M ~(v/)(^a a^) 
with = I, £(y) = V y , £(/) = V f and = l w such that 

lc(fl(V/,Vy,/„,),oobJo x ) = fl(ob) = dom(oo) 
and l x G dom(a v ). By this partition, during evaluation of z '■ fy, G x is unchanged, i.e. 

(yT)(£-z: fy,o UOx) (v/)(^-z : V f V y ,a Q ^a x ) -~ (vf)(^z: V z ,& Uo x ) 
Then obviously there exists 0\ such that Gi C & and 

\c(i\(V z ,l w ),a' Uo x ) = ft(o 1 ) = dom(c l ) 



Hence by Proposition 3.9 we have Mo |= x#fyiwz, completing the proof. □ 
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C .7 . Proof of Propositions |5.15| 

Proposition |5.15( Assume Co = C' Ax#iyAg x, C' is stateless except x, C is anti-monotone, C' 
is monotone, i,m are fresh and {x,g} f] (fv(C,C ; ) U {w}) = 0. Then the following is valid: 

(AIH) \/X.\/i x .m»()=u{(vx.3g.Ei)AE} D Vx.Vi x .m» () = u{E 2 AE} 

with 

def 

• E] = \nv(u,Co,x) AOyyi.{CoAC}u»y = z{C f }@wx and 

def 

• E 2 = n\fy.{C}u»y = z{C'}@w. 

Proof. W.l.o.g. we assume all vectors are unary, setting f = r, w = w, x = x and g = g. The proof 
proceeds as follows, starting from the current model Mo- 

Stage 1. We take M such that: 

Mo-^M 

We then take off the hiding, name it x and the result is called M* 

(v/)(M*/*)«M. 
Stage 2. We further let M evolve so that: 

Mil' 

We then again take off the corresponding hiding, name it x and the result is called 

(v/)(m;/x)«m' 

Stage 3. We show if M* satisfies Co then again satisfies Co again: 

m* |= c d m; \= C 

using lnv(«,Co,x) as well as the unreachability of x from u. 
By reaching Stage 3, we know if M |= C then it is also the case M* |= Co A C hence we can use the 
assumption (together with monotonicity of C')\ 

Vyi.{CoAC}u»y=z{C'}@wx 

hence we know we arrive at C as a result. 
We now implement these steps. We set: 

E = T. (C.l) 

The trivialisation of E (taken as truth) is just for simplicity and does not affect the argument. Now 
fix an arbitrary Mo and suppose we reach: 

Mq^M (C.2) 

This gives the status of the post-condition of the whole formula (to be precise this is through the 
encoding in (4.9) in § 4.5 to relate m» () and the transition above). Assuming the hidden x in the 



formula in E\ is about a (fresh) / we can set: 
as well as by revealing / 
Note by assumption we have: 



M d = (v/)(vf)(£,a- [/ 1 ► V)) H vx.3g.Ei (C.3) 



M, = (vP)£-x:l-g:U,o-[l^V}) \= E x (C.4) 



l^m,c). (C.5) 
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Further U does not contain any hidden or free locations from M by g ^* x. 

Now we consider the right-hand side of E\, □ \/yi.{CoAC}u»y=z{C'}@wx by taking for fresh 

N: 

M[f : N] 1}, M' (C.6) 
Corresponding to the relationship between M and M* we set: 

M4f:N)^Mi (C.7) 

Note we have 

(vl)(M'Jxg)^M' (C.8) 

We now show: 

M* |= Co D M; \= Co (C.9) 
that is Co is invariant under the evaluation (effects) of N. Assume 

M*^C (CIO) 

First observe 

M* ^ Co A x#yrw (C.ll) 
Now in the standard way N can be approximated by a finite term, that is a term which does not 
contain recursion except divergent programs. We take N as such an approximation without loss of 
generality Such N can be written as a sequence of let expressions including assignments. Without 
loss of generality we focus on a "let" expression which is either a function call or an assignment. 
Then at each evaluation we have either: 

• The let has the form let x = uV in M' that is it invokes u; 

• The let has the form let x = WV in M' where W is not u. 

• The let has the form w' := V;M'. 
We observe: 

• In the first case u is directly invoked: thus by the invariance \nv(u,Co,x), Co continues to hold. 
Note w' is not x since Af has no access to x except through u. 

• In the second case of the let (i.e. u is not called), since x is disjoint from all visible data, by 
Proposition 5.14 we know x (hence the content of x) is never touched by the execution of the 
function body after the invocation, until again u is called (if ever): since Co is insensitive to state 
change except at x (by being stateless except x), it continues to hold again in this case. 

• In the third case again x is not touched hence Co continues to hold. 
Thus we have: 

M'^Co (C.12) 

Now suppose we have 
By anti-monotonicity of C we have 

M*/xg\=C (C.14) 
By Lemma 5.1 (4j), we can arbitrarily weaken a disjoint extension (at x and g) so that: 

M*^C (C.15) 

Thus we know: 

MlNCoAC (C.16) 

Now we can apply: 

M' \=vx.3g.\/y.{Co/\C}u»y=z{C'}@wx (C.17) 



JVt>C (C.13) 
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by which we know: 

Mi[z:uy)^M'i\=C' (C.18) 

Accordingly let 

M'[z:«:v]4M"«(vZ)(M"/x) (C.19) 
for which we know, by (C.18l and ( C. 19 1 together with monotonicity of C'\ 

M" \= C (C.20) 

Hence we know: 

M^{C}u»y = z{C'}@w (C.21) 

which is the required assertion. □ 



C . 8 . Proof of Proposition 5.16 



Proposition 5.16) , Let x ^ fv(C) and m,i,X be fresh. Then the following is valid: 

\/Xj x .m»{) = u{vx.([\x]C/\x#ui x )} D m»()=w{C} 
Proof. For simplicity, set x to be a singleton x. Assume 

M[u : i»()] JJ- M' 

By assumption we can set 

M'w (vl)(vl')(^-u:V,a-l^W) 

such that 

(vl'){^-u:V-x:l,a-l^W) ^[\x]C 



where / is not reachable from anywhere else in the model. By Lemma B.l we obtain (v/')(^ • u : 



V, a) \= C, that is M' |= C, as required. □ 



C.9. Proof of Proposition 5.17| Assume Co is stateless except x and suppose: 



M h lnv(/,C 0) jc) A {T}^./ = Z {T}. (C.22) 

Further assume M Mo and 

Mo |= C Ax#gr and M [z : fg] M'. (C.23) 

By lnv(/,Co,^) we know that once Co holds and / is invoked, it continues to hold. By {T}g«/ = 
z{T}, we know the application gf always terminates. Now this application invokes / zero or more 
times. First time it can only apply / to some x-unreachable datum. Similarly for the second time, 
since the context cannot obtain x-reachable datum (given g itself is x -unreachable). By induction the 
same holds up to the last invocation. In each invocation, Co is invariant. Further, other computations 
in fg never touch the content of x, hence because of Co being stateless except x, we know Co is again 
invariant in such computations. Thus we conclude that Co still holds in the post-condition, and that 
the return value being x-unreachable, i.e. x#z, as required. □ 



Appendix D. Derivations for Examples in Section[6] 
This appendix lists the derivations omitted in Section[6j 
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1. {(n> 1 DlsEven'(ly,gh,n-l,xy)) A n = 0} f : z {z = Odd(n) A Ix — gA ly = h}@® 

(Const) 

2. {(« > 1 DlsEven'(ly,gh,n-l,xy)) A «> 1} 

not((!y)(n - 1)) : z {z = Odd(n) A be = g A \y = h}@® (Simple, App) 

3. {« > 1 D IsEven'(\y,gh,n— l,xy)} 

if n = then f else not((!y)(« - 1)) :„, {z = Odd(n) A be = g A \y = h}@<b (IfH) 

4. {T} Xn.if n = then f else not((!y)(n- 1)) : u 

{ CNgh,n> l.{IsEven'(h,gh,n-l,xy)}u»n = z{z = Odd(n) A \x = gA !y = /z}@0}@0 

(Abs, V, Conseq) 

5. {T}M X : U {Vgh,n> l.(IsEven(h,gh,n- l,xy) D IsOdd(u,gh,n,xy))}@® (Conseq) 

6. {T} x :=M X { Vgh,n > l.(IsEven(h,gh,n - l,xy) D IsOdd(\x,gh,n,xy)) A lx = g}@x 

(Assign) 

7. {T} y :=M y { Vgh,n > l.(IsOdd(g,gh,n- l,xy) D IsEven(\y,gh,n,xy)) A \y = h}@y 

8. {T} mutualParity 

{igh.n > l.((IsEven(h,gh,n — l,xy) AIsOdd(g,gh,n — l,xy)) D 

(IsEven(ly,gh,n,xy) AIsOdd(lx, gh,n,xy) Alx = gAly = h) }@xy (A-Post) 

9. {T} mutualParity 

{Vn > lgh.((IsEven(h,gh,n — l,xy) AIsOdd(g,gh,n— l,xy)A\x — gA\y = h) D 

(IsEven(\y,gh,n,xy) AIsOdd(lx,gh,n,xy)Abc = gAly = h)}@xy (Conseq) 

10. {T} mutualParity 

{in > lgh.((IsEven(ly,gh,n — l,xy) AIsOdd{\x,gh,n— l,xy)AU = gAly = h) D 

(IsEven(\y,gh,n,xy) A IsOdd(bc,gh,n,xy) Alx — gAly — h)}@xy (Conseq) 

11. {T} mutualParity 

{Vn > l.(3gh.(IsEven(lx,gh,n - l,xy) AIsOdd(ly,gh,n- l,xy)Abc = gAly = h) D 
3gh.(IsEven(ly,gh,n,xy) A I sOdd(lx,gh,n,xy) Alx = gAly = h)}@xy (Conseq) 

12. {T} m.Titua.lPa.Tlty{3gh. IsOddE ven(gh, lxly,xy,n)}@xy 

Figure 7: mutualParity derivations 



D.l. Derivation for mutualParity. Let us define: 

def 

M x = Xn.if j = 0thenf else not((!v)(n - 1)) 
def 

My = Xn.if y = then t else not((bc)(n— 1)) 

We also use: 

def 

IsOdd' '(u,gh,n,xy) = IsOdd(u,gh,n,xy)A lx = g Aly = h 

def 

IsEven'(u,gh,n,xy) = IsEven(u,gh,n,xy)Alx = gAly = h 

Figure [7] lists the derivation for MutualParity. In Line 4, h in the evaluation formula can be 
replaced by \y and vice versa because of ly = h and the universal quantification of h. 

\/h.(ly = hA{C}h»n = z{C'}) = Vh.(\y = h A{C}{ly) •n = z{C}) 
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In Line 5, we use the following axiom for the evaluation formula from [25]: 

{CAA} ei »e 2 = z{C} = A D {C}e { • e 2 = z{C} 

where A is stateless and we set A = IsEven(h,gh,n — l,xy) . Line 9 is derived as Line 4 by replacing 
h and g by \y and \x, respectively. Line 11 is the standard logical implication (Vjc.(Ci D C 2 ) D 
(3x.d D 3x.C 2 )). 

D.2. Derivation for Meyer-Sieber. For the derivation of ( |6.6[ ) we use: 

£ = V/.(D{T}/.(){T}@0 D n{C}g./{C'}) 
We use the following [LetRej] which is derived by [Ref\ where C' is replaced by [\x]C'. 

{C}M: m {C Q } {[lx]C Q A\x = mAx#e}N: u {C'} x^fpnje) 
[ € €fi {C} let x = ref (M) in/V :„ {vx.C'} 

with C' think w.r.t. m. The derivation follows. Below M\ 2 is the body of the first/second lets, 
respectively. 



\.{Even{\x) A [\x]C'} if even{\x) then () else Q() {[\x]C'}@% (If) 



2.{[\x]C} gf {[\x]C'} 


(cf. § 


6.7) 


3.{Even(\x) A [\x]C} gf {Even{\x) A [\x]C'} 


(2, Inv) 


4.{E A[\x]C AEven(\x) Ax#gi}let f = ... in (gf; ...){[\x]C Ax#i} 


(3, Seq, Let) 


5.{E AC} MeyerSieber {\x.([\x]C' Ax#i)} 


(4, LetRef) 



6.{E AC} MeyerSieber {C'} (9, Prop. [5TT6J) 



D.3. Derivation for Object. We need the following generalisation. The procedure u in (AIH) is of 
function type a =^ p: when values of other types such as a x [3 or a + [3 are returned, we can make 
use of a generalisation. For simplicity we restrict our attention to the case when types do not contain 
recursive or reference types. 

\n\/(u ax ^,Co,x) d = A,- = L2lnv(7t ! '(w),Co,x) 
lnv(M a+p ,Co,x) = f A ; - = i, 2 Vy,-.(« = inj^y,) D lnv(yi,C ,x)) 

def 

lnv(M a ,C ,x) = T (a G {Unit, Nat, Bool}) 

Using this extension, we can generalise (AIH) so that the cancelling of Co is possible for all com- 
ponents of u. For example, if u is a pair of functions, those two functions need to satisfy the same 
condition as in (AIH). This is what we shall use for cellGen. We call the resulting generalised 
axiom (AIH C ). 

Let cell be the internal ^-abstraction of cellGen. First, it is easy to obtain: 

{T} cell : {/(, A Gi A G 2 A E'} (D.l) 
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where, with /o = Ixq = lx\ A xq#iw (noting x#v = T) and E' = !xo = z. 

def 

Gi = □{/(,}7l 1 ( O ).()=v{v=!x () A/o}@0 

def 

G 2 = □Vw.{/o}tci(o) »w{!xo = w A/o}@X()Xi 
which will become, after taking off the invariant Iq: 

dpf 

G\ = □jii(o)«() = v{v=!jci}@0 

def 

G f 2 = n\/w.Ki(o) •w{lxo = w}@xq. 
Note Iq is stateless except for xq. In G\, notice the empty effect set means \x\ does not change 

def 

from the pre to the post-condition. We now present the inference. Below we set cell' = let y = 
ref (0) in cell and i, k fresh. 



1.{T} cell : 


{/ AGi AG 2 A£"} 




2.{T} cell' : 


{lx =\X! AGi AG 2 f\E'} 


(LetRef) 


3.{T}letxi = 


z in cell' : {vjci.(/oAGi AG 2 ) AE'} 


(LetRef) 


4.{T} let x\ = 


= zincell': {G\ A G' 2 AE'} 


(AIH C , ConsEval) 


5.{T} let x 0: i 


= z in cell' : {vx.( x#kACell(o,x) 


A!x = z)} (LetRef) 



6.{T} cellGen :„ {CellGen{u)} . (Abs) 
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